Thread Starter
ilione
(@ilione)
Update:
Not heard from the host yet but I managed to install an older sql database and get back into it. Going to change the password there and on my host now!
Will leave the main page as it is just so you can see it and let you know what my host has to say when they get in touch.
its really not a good idea to leave the page up — for a couple reasons:
1. most importantly, you are just providing free advertising for the hackers.
2. While I checked and there are NO hidden iframes or malicious javascript calls on that page — what IF there were? I’m guessing you didnt look for those. ๐
Youve contacted your host. Good.
Youre working on getting your site back. Good.
Changing your passwords. Good
Work on applying safe, sound permissions to both your files and your directories >
http://www.tamba2.org.uk/wordpress/chmod/
Update your xml-rpc.php file >
http://wordpress.org/support/topic/120857?replies=12
and kill that page, please.
Thread Starter
ilione
(@ilione)
Hey! Thanks for the reply,
Yeah, I did notice that the page was free of evils or I wouldn’t have left it up =) I just wanted people to be able to see what it looked like as there have been no confirmed reports of 2.2 hacks on here yet that I can see? I did have a good snoop before I posted.
I also wanted my host to see it… they still haven’t got back to me yet =/ I’ve started working on making it look normal again now anyway, too impatient!
My permissions are cool but thanks for the heads up on the xml-rcp! Just updated it on all my installations =)
Update your xml-rpc.php file >
Is there a reason this information wasn’t announced? Kind of a fluke I saw it here (ambulance chaser that I am, I’m drawn to “Hacked” topics).
You see my response to it not being so, dont you ๐
Thread Starter
ilione
(@ilione)
Ok here’s something possibly weird.
When I changed back to an old mysql database in cpanel, I noticed that there was an IP under access hosts on the account maintenance screen.
When I looked up the IP it was a blueyonder user (an ISP over here in the UK)
Does this mean that someone has been accessing my mysql with a remote host type thing? and if so, wouldn’t they have needed my domain passwords to set it up/use it?
If that’s the case then they must have hacked my domain/hosting account and got in that way, as apposed to it being through wordpress.
I’m super confused now! and still no word from my host…
It won’t even let me delete the remote access IP from my account grrr
Thread Starter
ilione
(@ilione)
An update…
Well, two of my wordpress 2.2 sites have now been hacked four times.
My permissions are all 644 or 755, I updated the xmlrpc, I checked my plugins (only use 3) changed every password I could think of — and checked for any odd files/scripts. I still keep being hacked :o/
In the access logs and you can actually see these guys logging into my wordpress, I have no idea how they’re deleting the admin user in the database and adding themselves first though — but it’s happening every time.
I’m just lost, one of these sites is my business and it’s so useless at the moment
Does anyone have any suggestions?
Thanks
I would be curious to see your access logs — especially the bits before they login. if youre feeling generous, send them along to me @ whoo @ REMOVE THIS village-idiot.org
you did check to make sure that the users table in your database contained only users you knew right?
>changed every password
How are you making your passwords?
If your password consists of English alphabetical letters and numbers and is short enough, I’m sure cyber idiots could break it. WP allows to use Greek characters for an admin password. And some web hosting companies also allow their clients to use Greek letters and special characters for control panel access while others don’t.
If you have a password of 12 letters consisting of Greek letters, special characters, lower case and upper case letters, the number of combinations can be as large as 784,716,723,734,800,000,000,000.
Does anyone have any suggestions?
Yes. Send these access logs to security@wordpress.org along with any other information you can find that will help them to understand what’s going on. If it’s a WordPress issue, then they need to know it.
Also, if they have direct access to your database, then they can do whatever they want without going through WordPress at all. Change your database password. You’ll have to edit the wp-config.php file to match as well.
Thread Starter
ilione
(@ilione)
whooami, I’ve sent along a log that I downloaded today for you to look at =)
The database only has one user and that’s me, until they delete me and replace me with themselves! I’m sure there must be something I’m missing here.
macsoft3 I’ve just been making passwords with standard letters and numbers but they’ve been very long. I might try Greek next time though.
Thread Starter
ilione
(@ilione)
Otto42, I made a new database user and password and deleted the old the second time it happened. I’ll look into gathering stuff for the security, I just don’t have many logs because I only started downloading logs the other day and I hadn’t been saving logs on the server =(
sweet, thanks! I think it just came — off to take a peek
did you notice that 2 of the referers in those logs point back to forums obviously run by script kiddie hackers. I dont speak or read arabic or wtf language this is but a translation would be fascinating if anyone recognizes it:
ุงูุณูุงู
ุนูููู
ูุฑุญู
ุฉ ุงููู ูุจุฑูุงุช
ุดุฎุจุงุฑูู
ูุงูุฑุจุน ุงู ุดุงุก ุงููู ุทูุจูู
ุงูู
ูู
ุงูุง ุฏุนุณุช ููู
ู
ููุน ุนูู ููู ููููู
ูุงู ุดุงุก ุงููู ุงูุฌุงู ุงูุซุฑ
ูุฐุง ูู ุงูู
ููุน
I registered on one of the forums and your link is there.
hmm actually, lets see:
Google’s arabic to english translator spits out:
May peace and God’s mercy and blessings Chkhbarkm Erba, God is good, I Dost site on how you Kipkem God coming over this is a site
The other forum post reads:
ุชู
ุงุฎุชุฑุงู http://thedogwalker.eu/wp-content/ ูููู ุงูุญู
ุฏ
Which translated means:
Been penetrating http://thedogwalker.eu/wp-content/ thankfully
