This month we saw quite a lot of hacked WP websites having a malicious plugin named "Docs" (/wp-content/plugins/Docs) which was uploaded when hackers gained access to the dashboard:
Plugin Name: Docs
Plugin URI: http://wordpress.com
Description: Welcome, the online manual for WordPress and a living repository for WordPress information and documentation.
Version: 1.1.0
Author: WordPress.com
Author URI: http://wordpress.com
License: GPLv2 or laterFull raw + de-obfuscated code available here.
The plugin connects to "wordpress-update.com" and downloads a lot of data (spamdexing).
The domain was registered last June, and right now it is hosted by Hetzner.de IP 136.243.243.205. Closing the website will have no effect at all, within one hour or less, it will be back online elsewhere.
As this is a flagrant case of cybersquatting used for hacking purposes, can't Automattic help to get rid of it a the registrar level ?
That would definitely solve the problem. Or at least for a while...because we noticed that it had an older sister ready to take over: wordpress-update.org (176.9.31.199), hosted by Hetzner too.