Apparently, 100,000 WordPress sites have been compromised by this nasty. It injects redirect code in to WordPress themes.
According to an analysis posted by Tony Perez on his blog, it’s going to be easy to spot if you’re a server administrator as in injects the code:
php function FuncQueueObject()
{
wp_enqueue_script("swfobject");
}
add_action("wp_enqueue_scripts", 'FuncQueueObject');
In to wp-includes/template-loader.php
So,
find / -name template-loader.php -exec grep {} swfobject \;
should do the trick. I’m not a PHP nut, but I don’t think swfobject is common in that file.
Update: 06-Jan-2015
The web site linked to above has an on-line scanner that’s supposed to check for this problem, so I’ve just run it against this blog. It found something here. False positive, methinks! I’ve written to them pointing out that the search may be a little naive given the subject matter of that post! Fair play for providing such a tool free of charge though. It’s a little hard to see how such a scanner could work at all, but not pick up text lifted from a compromised site.