I never use my uploads directory or WordPress’s built in media management here on Smackdown, instead preferring to upload and manually insert the html for images myself in my posts (I know, I am weird that way), but my friend Donna has when she has guest blogged here in the past. I therefore knew that the uploads directory existed and had a few images in there, but never really had any reason to look at them. It was totally by accident that I clicked on the Media link in the admin section this morning. I am glad that I did, however, since otherwise I never would have known that I had missed a bit of leftover data from one of the times that I had been hacked last year, a reference to a file named rzf.php.
I use an early warning hacking detection system that Donna came up with last year with and I helped refine, MonitorHackdFiles, that alerts me whenever there are any files modified or added on my blog. This script has been indispensable in helping me to clean up damage from hacks before either my rankings were harmed or an infection spread to my readers. However, based on the folder structure on the database entry that I found, this was from a hack that happened prior to me installing that script. I checked, and the file definitely does not exist, either physically or virtually (I get a 404 trying to access it on the web), which makes sense since I did completely wipe and reinstall WordPress several times last year. I also always check the wp_posts, wp_users, and wp_options (especially the active_plugins entry) after a hack for any irregularities, but never thought to check wp_postmeta, which is where information about uploads is stored. I have been hacked a few times, and this is apparently the only one that actually used the uploads folder. All of the other hacks hid files amongst the WordPress system files or injected data into the database. Just to be safe though, from now on I am adding to the checks that I perform to the database to include scanning that table for any non image files, like so:
SELECT * FROM wp_postmeta WHERE meta_key='_wp_attached_file' AND ( RIGHT(meta_value,4) NOT IN ('.jpg','.gif','.png','.avi','.mp3','.mpg','.flv') OR meta_value LIKE '%.php%' OR meta_value LIKE '%.pl%' OR meta_value LIKE '%.exe%' OR meta_value LIKE '%.js%' )
This should display the entries in your database that match the contents of your uploads directory, filtering out the most common safe files while definitely including the most suspicious ones.
I couldn’t find anyone discussing the rzf.php file when I looked, but I did find a couple of sites that were hacked from it. It apparently generates a list of links that all point back to itself with various d=xxx parameters:
Each of these pages then generates a list of other self-referential links, plus some added text, and a small percentage of external links. All of the links that I looked at lead back to what appeared to be valid sites, presumably to better hide the actual target. Even though this may be the only function of the file, if the file itself is found in your directory structure, and not just a leftover database remnant like mine was, it is probably best to do a complete cleaning, just to be safe.