Search for odd files in the media folder. Also check
- config files in /conf/
- stub files like index.php or blog1.php etc.
- .htaccess

If GIF files get executed as PHP files there should be something like this in your .htaccess

addhandler php5-script php gif

Delete it

It's probably the best time to upgrade b2evo since you'll upload clean files ;)

I don't see any other recently modified files except one .htaccess from a week earlier which added some sort of file type. I renamed that file.

I noticed that the offending .gif file reappeared overnight after I had deleted it so this time I just deleted the contents and left it as a blank file.

I need to figure out where the code is that's calling the bogus file...

I hope you changed FTP and hosting passwords already.

If you don't want to upgrade you should at least upload clean files of the same b2evo version you are using.

If b2evo is not the only script on your server consider checking the other scripts for injections too

Hey Sam,

Haven't changed passwords yet, but I guess I should.

I have a vague recollection that I was hacked some time back but not in my RSS feed.

I have the newest version right now (of b2evo) I believe, but I could reload the stuff and change passwords.

Is there some way someone could have modified that file through some sort of script without having cracked my password?

Is there some way someone could have modified that file through some sort of script without having cracked my password?

A hacker definitely was able to edit your files through FTP or SSH or maybe from your hosting control panel. Once a bad script is added to your file/files it could be executed remotely.

Which means it would be possible to hack your files again even after you change all passwords.
That's why it's important to find and kill the malicious script, and not only the files it created.

I hear you, Sam, and I can't find a newly modified file anywhere.