WordPress.org

Ready to get started?Download WordPress

Forums

[closed] I've Been Hacked!! (24 posts)

  1. Sparky
    Member
    Posted 9 years ago #

    I have 2 different databases, and one each one I have a WordPress... and one of them was hacked. The person got in, removed every category besides the default one, and renamed in very inappropriately!!! so i changed my password, renamed the category, and downloaded my files.... but still? how can i prevent this from happening again?? i never told anyone my password.,...

  2. 1. Make sure you're running the latest version of WordPress (currently v1.5).

    2. Change your password.

  3. Sparky
    Member
    Posted 9 years ago #

    I changed it already. How do I upgrade?

    Is there any way to check to find an IP of someone that logged in?

  4. Mark (podz)
    Support Maven
    Posted 9 years ago #

    Choose a strong password.

    Use this:
    http://www.winguides.com/security/password.php
    and choose mixed case and numbers as well.

  5. Mark (podz)
    Support Maven
    Posted 9 years ago #

    http://www.tamba2.org.uk/wordpress/upgrade/
    Upgrade if you want to keep your 1.2.x templates

  6. Sparky
    Member
    Posted 9 years ago #

    Is there any way to check to find an IP of someone that logged in?

  7. Mark (podz)
    Support Maven
    Posted 9 years ago #

    I'd check your server access / error logs

  8. Sparky
    Member
    Posted 9 years ago #

    in my cpanel, to backup my whole account, what does this mean:

    Backup Destination:
    Email Address:
    Remote Server (FTP/SCP only):
    Remote User (FTP/SCP only):
    Remote Password (FTP/SCP only):
    Port (FTP/SCP only)
    Remote Dir (FTP/SCP only)

    im gonna check now for the access thing

  9. DianeV
    Member
    Posted 9 years ago #

    I don't know about you all, but I also password protect the wp-admin directory as an extra layer of security (and do database backups on a frequent basis).

    In your case, Sparky, it's difficult to tell whether your hacker just got into the WordPress administration section, got in through a web hosting account admin panel, or hacked the server itself.

  10. Sparky
    Member
    Posted 9 years ago #

    I don't know. I'm gonna upgrade WP tonight, but right now I'm trying to figure out the IP address of the hacker. I got my raw access log from my cpanel, and I see a different IP than mine, so I'm gonna check that out. Should I do a WHOIS lookup with the ip? or will that not help?

    i will put a pw protection to get into the admin folder, like you said

  11. DianeV
    Member
    Posted 9 years ago #

  12. Sparky
    Member
    Posted 9 years ago #

    ok, i did searches. in the raw access log from my cpanel, i found a few different ips, but never my own.. i looked them up and got the info from them too..... is it not supposed to have mine? i found like 5 different ones

  13. Sparky
    Member
    Posted 9 years ago #

    actually, more.... x_x

  14. solipsist
    Member
    Posted 9 years ago #

    How do you pass-protect the wp-admin folder?

  15. Sparky
    Member
    Posted 9 years ago #

    in cpanel there's a password protection thing

  16. streetmedic
    Member
    Posted 9 years ago #

    This may help i came across it a little while ago on a site |
    ___________________________________________|
    This message is aimed at everyone who has converted their website to PHP using the index.php?x=about.html method to include their pages, as seen in many tutorials all over the web (like for example at EnglishSun.org).

    This method is very insecure, and allows hackers to gain access to your server. Because you are specifying what file to include via a URL, anyone can change the bit after x= to something else to include any file they want. This means they are able to see sensitive files, that hold password and other sensitive information. Once a hacker has gained access to your server, they will generally proceed to upload malicious scripts (like trojans or egg drops), with which they can attack other networks and send out SPAM emails. This eats up the bandwidth and disk space you're paying for, and can get you kicked out by your host. And, even worse, if any damage is caused to the server you're hosted on, your host can hold YOU totally responsible for those damages, because you allowed the hackers to gain access by using insecure coding! If they wanted to, they'd have the right to sue you over this.

    I've discovered this because several friends of mine recently contacted me after having problems with hackers on their servers. In trying to figure out what let the hackers gain access, I discovered the insecurities in this script. Also, one of those friends noticed she had been getting a lot of referrals from Google.com for searches looking like "allinurl: index.php?x=". This means that there are people out there specifically looking for sites using these scripts, they are being targeted by hackers because it is KNOWN these sites are insecure.

    Therefore, it is VERY important that you change your coding ASAP, as in RIGHT AWAY, if you were using this method of PHP coding. Here's what you should do if you used this script:

    1. Change your passwords for your domain control panel and MySQL databases. It can't hurt to change your password to your email accounts as well, just in case.

    2. Change your coding. There are other ways of converting your pages to PHP, two examples of which can be found here:
    NL-ConvertToPHP
    Fitting In With Your Site

    3. Make sure there are NO urls left in your site anywhere that use the "?x=filename.html" method to include files.

    4. Contact your host, and explain to them that you've just discovered you were using a script that wasn't completely secure. Tell them that it might have let hackers gain access to the server. Your host will then be able to run a security check on the server to get rid of any malicious scripts that might be present if you have been hacked.

    5. Spread the word. It's very important we let as many people as possible know about this ASAP so they can protect themselves. Please post about this in your blogs, forums, mailing lists, LiveJournals, etc. If you know of anyone who has a tutorial up on how to implement this method, please send them a link to this thread. The more people read this, the more will hopefully be able to change their coding before they get hacked. Feel free to include this entire message, or alternatively, include a link to the thread about this at CodeGrrl.

  17. @streetmedic:
    I don't think this is relavent to the problem in hand here. WordPress doesn't work but using the arguments in the url to include files these are passed into the sql querey to find things for example posts with index.php?p=1234 looking for post id 1234.

    westi

  18. TechGnome
    Moderator
    Posted 9 years ago #

    westi - it very much is. WP as it is doesn't do that but there are ways listed out there that allow people "to include their [html] pages, as seen in many tutorials all over the web (like for example at EnglishSun.org)."

    Again, out of the box, WP doesn't have this ability, but there are plugins, hacks, and code snippets out there that do allow for that. It was one of the primary ways of doing "pages" back in 1.2, and some people have carried it over to 1.5. This is the primary reason I never did it on my site. How ever there are ways to implement this safely, and lock it down so that outside files cannot be included.

    I think it's very much relevant to the issue. If some one had this hack installed, and it was discovered, I could use it to run a PHP file that adds a user for me into the database. I could then login to the admin, and start creating havoc with the system.

    Tg

  19. Streetmedic, the exploit you are referring to was corrected back in WP v1.2.2.

  20. JonathanDrain
    Member
    Posted 9 years ago #

    Do you have phpmyadmin installed? If you do, and someone guesses what directory you installed phpmyadmin to, they can get into your database, which could give someone full control of your WordPress.

    Alternatively, if your password was easily guessable they might have gotten in that way.

    Alternatively, check that you're the only user on the server who has access to that database.

  21. Sparky
    Member
    Posted 9 years ago #

    streetmedic, i don't use that coding.

    JonathanDrain, i do not believe i have that installed. i'll go check, but i doubt i have it. i dont think my password was that easy to guess, and i dont know how anyone could have gotten it.

    i'm going to upgrade to 1.5 right now.

    what does this mean: (i'm backup up my site from cpanel)
    Backup Destination:
    Remote Server (FTP/SCP only):
    Remote User (FTP/SCP only):
    Remote Password (FTP/SCP only):
    Port (FTP/SCP only)
    Remote Dir (FTP/SCP only)

  22. JonathanDrain
    Member
    Posted 9 years ago #

    I presume the backup destination is the directory/folder where you want to back up the database to, while those other options are if you want to back it up to a different server via FTP.

  23. Sparky
    Member
    Posted 9 years ago #

    ook. i'll try that out. i just upgraded one of my 2 wp's to 1.5, i have to fix the theme and upgrade th other too.

  24. Sparky
    Member
    Posted 9 years ago #

    "Do you have phpmyadmin installed? If you do, and someone guesses what directory you installed phpmyadmin to, they can get into your database, which could give someone full control of your WordPress."

    I just realized... I DO have it installed. And I didn't know about it. :( Now what? I've done all I can to protect my stuff, but I jus trealized I have it installed, and it came with my hosting... I didn't install it myself.

Topic Closed

This topic has been closed to new replies.

About this Topic