Spam injected in w3 total cache page cache [closed]

Question

I'm trying to fix a site which has been injected with external spam. After inspection I found out that the external content (so far just html advertising different kinds of drugs, no scripts) was in the static pages created by w3 total cache.

How can I find out what part is responsible for this? The obvious answer would be the w3 total cache plugin itself, but the pgcache is actually writeable by any part of wordpress so it might be any other plugin or even the WP core.

I have searched the web for this problem but found nothing directly relevant.

Of course wordpress is updated to the latest version available (3.0.2) as is every installed plugin. It does not depend on the theme as it happened with two different ones.

Answer 1

It is prolly injected in your files. Look at the plugin files, search for eval or base64.

Answer 2

I doubt the W3 cache is targeted. More likely is that spam is not injected in page for admin users, so you don't see anything in non-cached version, but regular page does contain spam and so it gets cached.

As usual there are plenty of info around on cleaning up hacked sites, starting with FAQ My site was hacked in Codex. But really it's very case by case.

Clean reinstall and restore from known good backup is best bet, if not possible you are up for a lot of manual work (or hiring someone who specializes in such issues).

Answer 3

I found a Script to find base64 in files. Until I found this, I was going in circles. Once you clean up your files, be sure to set permissions, read-only for all of them.