It seems that the problem was a vulnerability in wordpress 2.1.1, the advice if you have had a similar attack is to do the following: Upgrade to the latest stable release (currently 2.3) Check your logs for access to theme.php or feed.php with query strings of ix= or iz= Report the IP addresses of those …