Site Hacked tonight – Info and questions

This may come bouncing back to me that the whole thing was my fault, and certainly it might be… but I really want to understand this better. Also, this might help others avoid a problem. I also think there MAY be a security issue here, but I have not enough tech savvy to know, so opinions are welcome. Using WP 2.3.1

Site: http://blog.therealcostarica.com

Things I know I did wrong:

First, the subdirectory “blog” was open (777) as also was the wp-content directory (more on THAT later). I have since changed both to 755

A hacker came in tonight and added TWO files that I know of.

The first was in the (blog) root directory and named index.html The code for this file is at the end of this post.

They also added a second file, wp-cache-config.php was added to the wp-content directory. The code for that file is identical to the HTML only the name being different.

I WAS using a plug-in, wp-cache, in the plugins folder, but it was NOT activated. That plug-in may have installed another PHP file, “advanced-cache.php” – or maybe the haker did that too, but I think the plugin created that file. I know it was not there when I upgraded to 2.3.1.

In any case, the result was a throughly corrupted dashboard and the hacker’s message appeared above the normal blog pages. The blog content was not disturbed.

Removing the HTML code did nothing to fix the hack. Removing the PHP file DID fix it… so far.

Entering the server as root, I noticed that BOTH the HTML and the PHP files were owned by NOBODY. They were NOT owned by me. Now THIS indicates to me that the hacker has found a way into WordPress in order to upload these files.

So here are my questions!

1. How did they get in? I use enormously complex 11-12 digit passwords to the server and to blog itself and even if the blog directory and the wp-content directory were 777, is that enough to let them in? Here is the kind of password I use: j75N88QbHJ9 so it seems unlikely they guessed it.

2. If the wp-content directory is changed to 755 or 775, then the WordPress Database Backup plugin does not work and cannot store the backed up db to that directory. That makes NO sense to me.

3. Am I wrong about that NOBODY ownership thing? How can someone upload files using nobody?

4 Will changing the permissions for blog and wp-content to 755 be enough? Should failure to do so leave this software that vulnerable?

I appreciate any responses on this. I am trying to learn and to understand this stuff better, so please, no flames… just your thoughts and suggestions.

Thanks – TG

Here is the code for the two files above:

<html>
<title>Hacked By  Boz_wolf </title>

<script language="JavaScript1.2">
function ClearError() {return true;}
window.onerror = ClearError;
</script>

<title>Hacked By Boz_wolf  </title>

<P align=center><SPAN><FONT face=Haettenschweiler color=red size=5></FONT></SPAN></P>
<P align=center><SPAN><FONT face=Haettenschweiler color=red size=5>Hacked By Boz_Wolf | cybermafia | Leonard | webpolice | By_3GE | THEsnowFLAKE | By-YaRaMaZ</FONT></SPAN></P>
<P align=center><SPAN><FONT face=Haettenschweiler color=red size=4> </FONT>Simdi susma zamani!!!</SPAN></P>
<p align="center">
<img border="0" src="http://img201.imageshack.us/img201/4396/10le9.png" width="207" height="208"></p>
<P align=center><SPAN><FONT face=Haettenschweiler color=#808080 size=5></FONT></SPAN></P>
<P align=center><SPAN><font color="#808080" size="5" face="Haettenschweiler">Etikete gerek yok piyasa iyi tanir beni:)</font></SPAN></P>
<P align=center><font color="#808080" size="5" face="Haettenschweiler">hacked_by_bozwolf@hotmail.com</font></P>
<P align=center><SPAN><FONT face=Haettenschweiler color=red size=5>www.megasecurity.us</FONT></SPAN></P>
<EMBED
src=http://www.forumcusun.com/yeah.mp3 

LOOP="TRUE" width="1" height="1"> <NOEMBED><BGSOUND src="http://www.bebelerebalon.org/societa.mp3" 

loop=infinite></NOEMBED></EMBED>
</body>
</body></p></blockquote>
</html>