William MartinA have some WP sites which were hacked recently. I think it was probably a dictionary attack as the only sites affected had a username "admin" and those which were not hacked had no such username.
The home page was changed to title: HaCkeD By SA3D HaCkeD.
I checked from my root directory to find the sources of the text.
> grep -r SA3D *
public_html/index.html:<title> # HaCkeD By SA3D</title>
...
Since this matched to various index.html files I deleted those files as WP does not need them as far as I know. This fixed it for nearly all the sites - but it did not fix it for one site using the Twenty Ten theme.
I tried upgrading the Twenty Ten theme, but WP told me I had the a later version (maybe version number was hacked too). I had made no changes to the theme, so I:
+ installed another theme temporarily and switched to it.
+ deleted the Twenty Ten theme,
+ installed the Twenty Ten theme,
+ and then switched back to Twenty Ten theme.
That fixed it.
This is NOT a recommendation on how to handle the hack just a suggestion for a possible quick fix. However, my impression this is a script kiddie at work and not an actual hacker. (I prefer to call such people Scwankers - SCript Wankers).
Targets seemed to be:
1. Sites with 'admin' as the name of the administrator user id (maybe better to create another account with admin rights and delete admin if you have one). This was true of all sites hacked.
2. sites with Twenty Ten set as the theme (may not be an issue if #1 not the case). Only one of the sites used Twenty Ten.
I can't advise on how to handle this hack, or any other hack, I am just sharing my experience in the hope it will save others time and trouble.
cheers,
William
