WordPress.org

Ready to get started?Download WordPress

Forums

My WordPress got hacked (yesterday)...... (16 posts)

  1. ju1ie
    Member
    Posted 7 years ago #

    I'm not sure if i'm posting this in the right forum or not; but someone Surmunity suggested that i should post what had recently happend to me for feedback or support on what happend. So this is what happend.....

    Yesterday, or a couple days before yesterday I recently moved my wordpress core files to the root of my site; and yesterday evening, I got hacked BIG time. I didn't know what to do. Someone somehow got into my wordpress admin and changed my password, and changed the e-mail address to theirs; I couldn't log back into my wordpress as "admin" because the hacker changed my password and changed the e-mail address to his/hers. I contacted my host and reported what happend; and I am stil waiting for a response. My sitemeter caught the hacker's IP address(es); and i have both of them blocked/denyed; I also have had alot of wordpress plugins (could that be why i got hacked as well?) There was a bunch of posts that i didn't want to delete or lose; but the hacker came so fast (while i was online) that he didn't give me a choice....and he left a a hack message on my index.php (which is now gone & deleted).

    Could any of you give me advice on how to better prepare myself for something like this? What blows me away is, I have NO idea how the hacker got my wordpress password....

    has something like this happend to any of you???

    I also want to add that i had the latest version of wordpress (2.0.5 when i got hacked yesterday).

  2. whooami
    Member
    Posted 7 years ago #

    sorry to hear what happened, and not to rain on your parade, but while I would certainly keep whatever "ban" you have in place, you probably ought to know thats theres a very good chance whoever it was was not using their real IP when they did whatever they did, and similarily won't use their real IP should they decide to make a return visit.

    The easy availability of proxies almost insures this.

    To make sure that you were correct in your observation about using 2.0.5, I checked your site in Google's cache, and yeap, on 11/17 you were using 2.0.5

    While im not personally aware of security issues within 2.0.5 that doesnt mean there are none, obviously. A security issue within a plugin could certainly be the cause, as well.

    Without a list of plugins you were using, complete with version numbers, its hard to say though.

    You mentioned that sitemeter caught them.. i'll assume then, that your apache logs caught them as well. Any requests to your site made via a browser are going to be in your Apache logs, and that information would go far, very far, in narrowing down their point of entry.

    You have the IP. I would do 2 things.

    One, I would share that IP here.

    And two, I would be looking through my Apaches logs for THAT IP.

    If, in fact, this was a limited breach of your site via the web, and not something that occurred server-side, through your host, youre going to want to know how they got in.

    If you need help, feel free to contact me via the contact form on my site or at just email whoo@ my domain.com (obviously, use my domain, its linked off my name here on the forums).

    Im always up for nailing a hacker.

  3. ju1ie
    Member
    Posted 7 years ago #

    Thanks for the reply. The IP's that sitemeter caught was this: 196.202.61. and 196.202.69.

    How do i look through the apache logs? I'm sure its in the cpanel; but i'm not sure how to go about looking through the apache logs. I think i will need your help after all. Thanks again for helping me out on nailing this hacker.

  4. whooami
    Member
    Posted 7 years ago #

    through cpanel...

    click that link that says "Raw Access Logs"

    the second best thing to do, and this is more reactive than procactive, at this point, is to enable monthly log archives.

    THATS done, via the link that says "Raw Log Manager". This allows you to ftp in, and download the entire month's of logs in the event the "Raw Access Logs" link doesnt have that data available.

    The IP's that sitemeter caught was this: 196.202.61. and 196.202.69.

    Unfortunately, those arent complete IPs, but they both point back to Egypt. Without the last octet, there's no telling whether or not they were proxys.

  5. ju1ie
    Member
    Posted 7 years ago #

    Yeah, I had the raw log manager enabled prior to getting hacked; so the monthly logs are archived. When you say to go into the "Raw logs manager" how do i ftp then download that month's archive. I'm not sure what you mean by proxies either. I'm not to familiar with proxies. i just know about IP's and that's it. :(

  6. whooami
    Member
    Posted 7 years ago #

    well thats great news, that means that you will definitely be able to see what they did, if anything.

    Since you archive logs, ftp in (ill assume you know how to do that?), go into /logs/ and download this month's log. Thats what you need.

    Using a proxy is a way of hiding your real IP. Spammers use them, malicious hackers use them.. people that dont want to be traced use them, in other words.

    Again, if you need help, drop me a note. I also have msn messenger, but im not giving that info out here.

  7. ju1ie
    Member
    Posted 7 years ago #

    I'm not sure how to ftp in the logs. I'm sorta new with the whole Ftp thing....

  8. whooami
    Member
    Posted 7 years ago #

    do you have an ftp client? If so, thats what you use. If you dont have one:

    http://www.google.com/search?hl=en&q=ftp+client&btnG=Google+Search

  9. ju1ie
    Member
    Posted 7 years ago #

    i have cute ftp 7 professional.

  10. whooami
    Member
    Posted 7 years ago #

    thats what you need.. your host gave you some info, ftp info, thats what you use to ftp in. should be some site info, an ftp login, and a password.

  11. ju1ie
    Member
    Posted 7 years ago #

    I downlaoded it and i'm seeing the http://ftp.mysite-ftp_log

    but when i put in the http://ftp.mysite-ftp_log and my password it gives me an error. i think i'm doing it wrong though.

  12. whooami
    Member
    Posted 7 years ago #

    i cant help you with whatever you are doing wrong here as far as that goes. You may need to re-read whatever instructions your host gave you, or contact them.

  13. ju1ie
    Member
    Posted 7 years ago #

    I never got any instructions from my host when i downloaded the log files or any info to put in to get the ftp logs. I'll try contacting my host again.

  14. ju1ie
    Member
    Posted 7 years ago #

    I have been talking with my hosting about my recent site hack and they told me this:

    There are some cases of XSS attacks on these type of applications, which are essentially used to steal confidential data from a user. If your site uses cookie based authentication, then this could be possible. It is often better to utilize scripts which are session capable, and store the authentication token in the php session, since it is stored server side. You may want to check that out with the wordpress folks. It stops most XSSs, as cookie data is often the target of XSS attacks.

    Also ask the wordpress folks if they know of any good mod_security rules to protect WordPress. I have not really found any WordPress specific rulesets, just general rule sets which apply to more SQL injection attacks.

    So do any of you know any mod_security rules to protect wordpress?? Any feedback would be appreciated!

  15. whooami
    Member
    Posted 7 years ago #

    im happy to share what I use, but its going to be fairly generic.

    Mind you mine seem to be doing the trick all the same.
    (Knock on wood)

    Any luck with those logs?

    Those are inevitably going to show whether or not your host is being "on the level" about all of this.. its realllly worth the extra effort to get those.

  16. ju1ie
    Member
    Posted 7 years ago #

    Yes, my host/support& abuse team did the ftp logging for me; and they didn't say much about it (yet); they asked me if they hacker returned and I told them they the hacker did return; and they said i had some unstable scripts prior to getting hacked (for example and ask n' answer script was very old and unstable and had alot of vulnerabilities in it). So they told me to delete any scripts that would be unstable and to change my password in my cpanel/ftp/wordpress and that's pretty much all they said about that.

    I am still discussing it with my host though.

Topic Closed

This topic has been closed to new replies.

About this Topic