I just found a creepy case of injection in my index.php file. I noticed this morning that my homepage was throwing a “headers already sent” message pointing to index.php, line 10 when it wasn’t cached by Supercache. A reload of the page cleaned it up. But my RSS feed (which currently goes through Feedburner) was also trashed, and /feed wasn’t redirecting. All with the same error. Disabling Supercache fixed the homepage warning, but not the feed.
Being PHP awesome, I checked index.php for trailing whitespace, and found this snippet of code above the standard WordPress code:
That’s a problem. That forum file is, as you might expect, a crap ton of links and some JavaScript.
A few things to note:
- My SSH/bash history is complete and untouched. That is, I can see back for weeks, and all the commands are mine. So it doesn’t seem to be that sort of break-in.
- I just upgraded to WP 2.9.2 yesterday through the admin console. Likely culprit? Probably.
Can’t say for sure what it was, since I didn’t do more than a cursory check after I upgraded. The homepage would have been cached, so I wouldn’t have seen the warning there.
I suppose I should report this.