I fire up an HTTP debugging proxy so I can inspect the raw traffic, and reload the page 
-
-
A plethora of illicit requests lead me to a page, hidden in an iframe, which embeds further iframes, which ultimately lead to a page which shows pictures of young ladies in compromising (and rather uncomfortable) positions with their gentlemen friends, and also attempts to download large amounts of malware
(Good thing I use a Mac
)
Comment
-
But although I am safe, others less fortunate (i.e. Windows users) who visit my site - my site - are at risk from this garbage
Looks like I'm not going straight back to bed
Comment
-
First things first.
I fire up my FTP client and download a complete copy of the server contents.
I add this to a new project in Eclipse, and search for the topmost dodgy domain name that load all of the others.
Not found
Comment
-
Time to examine the database.
I download a backup of the database, then use the admin tool to examine the relevant post.
BINGO! The <p><iframe src="..." width=1 height=1></p> is at the bottom of the actual post text in the database...Comment
-
... to which only I should have access! 
Comment
-
But... how has my security been compromised?
Comment
-
The database tells me when the post was last modified: 10 November... two weeks ago come Saturday.
I download the web server logs...Comment
-
There, at around the right time (allowing a second or two here and there for Apache and mySQL having slightly different ideas about the exact time) is what I'm looking for: an HTTP POST to /wp-admin/post.php?action=edit
Comment
-
Further examination shows that the evil one who has done this has, apparently, browsed to my site's admin login page, logged in first time, edited the post, and saved the changes
All this using Opera 9 with a default language setting of "ru"... this is the HTTP equivalent of having snow on your boots
Comment
Comment