Can you elaborate on the result? Was it simple page defacement? Can the hosting provider(s) shed any light by way of log files?
It’s always possible that one’s password is guessed, and an attacker gains access. It’s also possible that another application running on their website was leveraged for access, and not WordPress.
They ARE running v2.0 ?
Who are their hosts ?
How many users on the blog ?
When did this happen ?
Got any code / evidence ?
Did they have what would be called ‘strong’ passwords ?
A lot more information is needed.
Last I knew they WERE running 2.0, 1 for sure was using a nightly and I dont think he ever upgraded to 2.0 final. I host them and was not able to find anything in the logs and none of them have SSH access at all either. 1 site was defaced with just a “hacked by JNAZH”, and the other 2 had the same saying they were hacked by Tapoot and JNAZH and some of their posts were defaced. I dont THINK the passwords they used were all that simple and they 1 for sure was 8 charators in length and had a combo of numbers and letters. When I looked through the code I didn’t see anything out of the ordinary, but the database looked like it had been screwed with, as in like multiople injections into the wrong areas.
Do you have anything left for someone to look over ?
what would you like? The last site i did a dump of all the wordpress directory. and a screen shot.
they are not running WP-Stats are they? there’s a known security issue with v 2.0 of that plugin.
No that was the first thing that I checked.
Are they on the same server?
Please provide more information about your server specs.
do you use Cpanel ?
There are numberus ways to access to MySQL databases with some vulnarable web host managers (like older version of CPanel).
There is no way to inject some code into DB trough WP (as i see)
Check your Access Logs on server and see if some one tried to upload some shell script (i mean php shell script) on the server or not 😉
You say you are hosting them? Is it possible the server was hacked and not just one account? Or do you allow remote access to SQL where they could access everything if they got through?
remote access to SQL is shut off, and the server logs show no attempts to brute force logins etc. Also the accounts do NOT have ssh access. Latest version of cpanel was used as well. I am thinking it has to be an exploit with wordpress…
sdenike – would you be prepared to allow one of the developers access so they can check things out ? I’m not saying they will do so, but such an offer if you cannot find the cause could be useful.
If you do, send an email to security@wordpress.org with this thread title and it’ll be looked at.
