WordPress › Support » So I got hacked, 3 hours ago....

awhitemage
Member
Posted 1 year ago #

I have the latest wordpress version (3.0.1) and I got hacked, 3 hours ago. I'm hosting my wordpress installation on a paid server with Midphase.com, but none of my cpanel passwords were touched. Only my wordpress admin password was changed.

I've read about admin password reset hacks, but only with previous versions of wordpress... I guess the hacks are still very present.

Funny thing though, I had the "Under Construction" plugin installed and activated, so the hacked page never got crawled by google and nobody ever saw anything. A bit noobish, even for script kiddies.

Team SQL HEX was their name.
awhitemage
Member
Posted 1 year ago #

I meant to add: what's the exploit and how can I prevent it?
jonradio
Member
Posted 1 year ago #

I've read about admin password reset hacks, but only with previous versions of wordpress... I guess the hacks are still very present.

I wouldn't be so hasty in "blaming" WordPress security flaws. A quick Google says that Midphase.com is a web host that has been hacked a lot. If their site is hacked, a hacker could have access to your web site. It is also possible that your own computer was hacked/infected.

This should make some good reading on how to resolve the problem:
http://codex.wordpress.org/FAQ_My_site_was_hacked
awhitemage
Member
Posted 1 year ago #

I contacted midphase and they looked at my account, everything was fine, and all cpanel accesses were originating from my IP address.

My computers are fine and secure and constantly being monitored for suspicious traffic.

Unless they're a bunch of genious hackers, this looks like a simple password reset hack on wordpress 3.0.1. (I got a password reset email, too)

I haven't removed the *two* files they modified yet... I find the song they inserted rather catchy. (it's originating from hxxp://www.abo-ali.com/ - looks like a legit music streaming site)
selkin
Member
Posted 1 year ago #

awhitemage, I wouldn't be so sure it isn't a midphase related vulnerability, one of my WP sites (hosted by midphase) was just hacked also.
awhitemage
Member
Posted 1 year ago #

Was your cpanel password changed? Did you receive a password reset email coming from your WP installation?

As I said, I did confirm with midphase that my account was fine and that my cpanel accesses were all coming from my IP address.
Shaooxz
Member
Posted 1 year ago #

I would also advise changing hosting company
jonradio
Member
Posted 1 year ago #

I second the motion.
idahsto8
Member
Posted 1 year ago #

My username & password (only for wp-admin) was also changed twice in the last 3 days. I'm also at Midphase.

awhitemage - where in your directory are the "two" files you found?
LunaticLtd
Member
Posted 1 year ago #

MY midphase hosted site has been the subject of attacks, too. It started last week. I got the email saying my password for user name XX had been changed. The site then showed a bunch of stuff on Islam. Contact MP and they told me about changing the settings in phpmyadmin. I did and started cleaning up my site.

Then I got hacked again. I did the same change. A few days later, I'm hacked again. This time, however, I can't change anything in phpmyadmin. I can get in, but when I click wp-users, I get information on the database and the ability to change the fields but not the data in the fields (ie, usernames, passwords) so I'm effectively locked out of my own site right now.

I talked to MP tech support and all they could say was the hacker had changed other passwords, other than wp-admin, and I'd have to dig through files to find it. I did but have NO idea what I'm looking for.

Any advice, ideas on how to regain control now?

Thanks.

PS - I may have to change hosts, too, but I'd like to regain control first.
webjunk
Member
Posted 1 year ago #

If a hosting company admits there servers were vulnerable to an attack they are out of business within a day.
But if they said "other passwords" were changed it sounds like they mean FTP/SSH access. I don't want to explain how its done but hackers can capture these passwords on servers with bad security.

For the access for Admin issue you need to check the database. Should be for wp_usermeta:
a:1:{s:13:"administrator";b:1;}

Assuming this is User ID 1.
awhitemage
Member
Posted 1 year ago #

I already started looking for a new host. Bluehost cought my attention.

I had problems with midphase for a while now, this hacking stuff (which may or may not be midphase's fault) is just helping me make the move.
webjunk
Member
Posted 1 year ago #

Any of the hosts shown on the front of this site are reliable for WP.
LunaticLtd
Member
Posted 1 year ago #

webjunk,

I checked under wp_usermeta and its shows meta_key for wp_capabilities, the meta_value is exactly what you put. And this is for User ID 1.

I still can't access the data within the database to change the username/password under wp_users.

Any other thoughts?
webjunk
Member
Posted 1 year ago #

And is USER ID 1 the User you are logging in with? Sometimes hackers will change the names around.

Just re-reading your earlier post. Your problem is being able to make changes within PhpMyadmin? Then the database User account has lost rights to the WP database. That could be the OTHER Password MP said was accessed. Might not even be YOUR Account but maybe a root or other server level account. You need to see if MP can fix your access from the sound of it.

Then you in phpmyadmin Should delete that DB User account for WP; Create a new User account; Add Full privledges for that User to the WP DB; Edit your WP-Config.php for the new user and password.
LunaticLtd
Member
Posted 1 year ago #

If others are getting the same/similar hacks on their MP hosted sites, my guess would be that it is something at the root or server level account. I'll see if I can get them to fix my access in phpmyadmin.

Can I just delete the wp database thats there and recreate? Or will that delete all my files/my whole blog?
webjunk
Member
Posted 1 year ago #

First it sounds like you would not have rights to delete the database or even Drop all the tables.
Second (more importantly) you may not have rights to create a new one and/or import the backup database. You did say you have a Backup of the DB? Would do an Export/backup of the database right now if you can. Yoiu can then atleast view it in a text editor.

Remember all your posts, pages and config are in the database.
LunaticLtd
Member
Posted 1 year ago #

seems that table may have been deleted by the hacker, it may not be an access issue. the MP tech guy I'm chatting with reset my permissions and i still couldn't do anything. he can't even find that table in the database.

I asked and he agreed deleting the old database and starting a new one will work, but I'll loose my posts. I did do a full back up via cpanel like you suggested. will that have my posts in there or will I loose all that?

that'll be extremely annoying but not critical since i don't have a LOT of stuff on my blog yet and am revamping it somewhat anyway.
webjunk
Member
Posted 1 year ago #

You can view the backup of your database in a text editor. It might be gzipped and you will need to unarchive it. Would view it yourself for the posts. Don't take the tech's word for it. But if in fact the table was deleted and your only backup was the one you JUST made then they are gone. Possibly other portions of the database are also gone.
If the table was actually deleted then have to beleive either it was a break-in to your cPanel (doubtful) or they had shell (telnet/SSH) access to the server. So before rebuilding your site, might be time to move to a new host. You will have no way of knowing if MP fixed their security issue. Sounds like the hacker obtained root access based on your not able to manage the db.
idahsto8
Member
Posted 1 year ago #

I've sent midphase this thread [also see this thread](as did @awhitemage) and have been in communication with them and so far have been very helpful for my situation.

If you're one of the people that have had your site hacked at midphase in the last week+/-, and had your wp username & password changed, please email jgriffiths [-at-] westhost [-.-] com and:

"tell me which files exactly you saw as hacked during your instances so that we may know where the hacker was targeting and probably the vulnerability. Also, can you please provide us with the domain names of the other clients who were seeing hacks so we can see if there was an correlation between them all? Please let us know."
LunaticLtd
Member
Posted 1 year ago #

Well, it happened again. I implemented a bunch of security protocols (based on WordPress Defender by John Hoff) but I got hacked again. MP customer support just said there was no way it could be them and it had to be my error because of bad passwords, etc. Looked like a form letter response with minor tweaking for me.

I also tried emailing the guy idahsto8 mentioned but haven't received a response in 5 days. I'm going to forward him my correspondence with MP and see if something can be done.

Then I'm going to cancel my service with them and go elsewhere. This is ridiculous.
awhitemage
Member
Posted 1 year ago #

I password-protected my wp-admin directory (using the cpanel) and haven't been hacked again, yet. So until I switch from Midphase to something else, that seems to be a good "solution".
idahsto8
Member
Posted 1 year ago #

I made the following security improvements & haven't been hacked again, yet. Note: I haven't password protected wp-admin like @awhitemage.

I found this person who had a similar type of hack. They made several changes. The one I changed was the wp-config.php permission to 400.

I added these to my public_html .htaccess:

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>

# DENY PUBLIC ACCESS TO YOUR php.ini file
<Files php.ini>
order allow,deny
deny from all
</Files>

# DENY PUBLIC ACCESS TO YOUR php5.ini file
<Files php5.ini>
order allow,deny
deny from all
</Files>

# QUERY STRING EXPLOITS
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|$|$|<|>|�|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
RewriteRule ^(.*)$ - [F,L]
LunaticLtd
Member
Posted 1 year ago #

Very cool. Thanks to both idahsto8 and awhiteimage for the ideas. I'll try those later when I have a chance (at work now). I really appreciate the fast response, too.

I'm about to email the westhost guy to see what he says.
F4ll
Member
Posted 1 year ago #

sorry to hear that you got hacked, maybe it was something like in this video youtube.com/watch?v=HJKsWoLj45c these guys are smart they always find new ways to hack something, probably because they have nothing better to do in their basements.

Topic Closed

This topic has been closed to new replies.

WordPress.org

Forums

So I got hacked, 3 hours ago.... (25 posts)

Topic Closed

About this Topic

Tags

Code is Poetry