We ran a Wordfence scan today (one of the plugins had been preventing them from running before today) and it showed the following message:
/var/www/html/wp-content/backup-ba63c/wordpress_wp_20140729_615.sql This file appears to be malicious. This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: <strong style="color: #F00;">"$QBDB51E25BF9A7F3D2475072803D1C36D"
It also had a similar message for 2014-07-30 and 2014-07-31, at similar but different times. I've looked through the files, but it looks like everything's the same between that machine and a "clean" machine, where I basically rsynced everything from this install. So all the files on my clean machine are the same as the files on this machine, from last Wednesday.
We were supposed to launch tomorrow but we're holding off until we find out more about this "malicious file." The string matches a few hits on google, where the header or other php files were infected, but doing a quick search of the entire installation shows no unusual cases of "eval()" or "base64". Also, WordFence is not showing any changed files that I haven't change myself. Lastly, both sites are internal, and there are only a handful of people who know about this project.
I tried echoing this variable, but it did not have a value, in both PHP and in shell.
Does anyone understand what happened? What is the value of "$QBDB51E25BF9A7F3D2475072803D1C36D" supposed to represent? Was our install broken into?