I suspect, and I really can’t prove this, the attack started after I removed a dodgy site theme template I had installed in WordPress. This theme was inserting spam links at the bottom of each of my pages and hiding them from plain sight with CSS rules. I only noticed this when I turned CSS off one day in February. I replaced the theme template with another more legitimate one and bumped the links out. Problem solved. So I thought.
What also happened–I think–is the theme template installed two new users with administrative privileges on my site. I assume the spambot then just swept by my site, looking for one or the other account and then used it to inject shit in my data.
At least I hope that’s the way it happened. I deleted those two extra users. But the worse case could be that the bad guys used those accounts to recover the MySQL admin password that sits behind WordPress’ magic. If this latter case is true. I’ll have to export all my content to XML, drop the database entirely, start with a fresh database and a new user and password and then reinstall my content again. What a drag.
I hope not, but just to be on the safe side, I’ll rename the MySQL admin account and change the password for it, then tweak things in WordPress so they can still talk to one another.
As it is, I have blasted most of the crap away, but much remains. I’m systematically going through each page to do this and I’m not finished yet. This is good though because I had a bunch really old posts that have gone through two other blog tools, Greymatter and Movable Type, and got very strangely formatted in the transferal to WordPress. Me going through to edit out spam, will clean all that up too.