Thanks. Some of the links you post are already in the list I posted. The 2nd one is 2 years old, hence leading me to wonder if it still applies, especially since much of the information I’ve already read points to things and directories that don’t quite match my installation (running the latest WP). But I’ll look the other links you posted to see what I can glean.
The 2nd one is 2 years old, hence leading me to wonder if it still applies
Yes – in general, it does.
Thanks again. Looks like I have some roll-up-my-sleeves heavy duty work to do. Part of me is wondering whether this wouldn’t be a good time to chuck my old design and just build from the ground up. I can tell you if I do that, WordPress will not be the foundation for my entire site. I thought it was pretty robust until I came here to research my problem and discovered a host (pun intended) of horror stories.
The hack may have absolutely nothing to do with WordPress – assuming that you did keep your copy of WP updated.
Well… so far I’m seeing none of the usual hack suspects. Everything looks as it should be. Whatever happened is very obscure.
Ooops… spoke too soon. Just found evidence of the “eval… base64” hack in my wp-config.php file. More to do….
I’m up and running now after cleaning that bit, but I’ll need to run through the rest of the gauntlet now.
One other link:
http://www.rvoodoo.com/projects/the-dreaded-base64-wordpress-hack-and-other-hacks-too/
Thing I can’t find anywhere is, how does this base64 stuff get on there in the first place?
The hacker has added it.
No kidding. But how? I don’t expect you to figure it out for me, but in all those links posted above, I see nothing that helps me figure it out so I can plug the hole. I did see a FTP user that I didn’t add, but the access log showed no activity, and none of the modified files had time stamps beyond December of last year. The logs are useless. So?
Though I’m still figuring out how to clean-up my database for which I have no recent/useful backup, I thought I’d jot down the “anatomy of the hack” as far as I’ve been able to figure it out.
- I found and removed a FTP user name I had never created (user name similar to mine, but with some gibberish text after an under-score). According to my ISP, this FTP user had never accessed my site, so assuming the hacker didn’t clean his tracks (simplest assumption), it appears that’s one backdoor for future use.
- I found and removed a recently added (at or about the time my site went to the white page) is_human plugin folder. I used to have this plugin, but removed it some time ago. This is pretty much the only alteration I can detect via recent time stamps.
- I found and replaced a base64 infected wp-config.php file. Interestingly, it’s timestamp was not recent at all. As soon as I cleaned this file, my site no longer showed the white page and was up and running.
- I found another base64 infected file, this time in a theme I wasn’t using. I removed all themes except for the default and my own customized theme. For the latter, I scanned each file, line by line (painful!) to ensure no monkey business. This is tough because though I’ve been editing these files for some time, I derived them from another theme, and hence I’m not quite sure what does and doesn’t belong.
- I found nested wp-admin, wp-includes and wp-content directories (i.e., wp-admin had a wp-admin sub-directory, etc.) I removed all these.
- For good measure, I replaced all directories/files that wouldn’t erase content data with what comes in a clean WP 3.3.1 install.
- Finally, on my ISP’s MySQL control panel, I found 3 databases, at least 2 of which appear to be copies of each other and have unusual naming. In the process of figuring out how best to deal with that, as I linked above.
This is really a very painful and paranoia-filled exercise. Have I looked at everything, cleaned-up everything, changed all that I need to change? Baring a full re-install with complete database loss, I’m beginning to think I will never know.
