WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] SQL Injection hack (10 posts)

  1. paulmp
    Member
    Posted 5 years ago #

    Hey all,

    I run around 15 sites that have all been upgraded to WordPress 2.8.4, I assumed this upgrade would fix a security flaw in previous versions of wordpress where someone could use a bit of sql and change the first account's email and password.

    The reason I did the upgrade is because I had a couple of them hacked in the last couple of weeks. But I've noticed a couple of them have been hacked since I did the upgrade, using the same method.

    Is there any way to lock down wordpress to make it more secure?

    Regards

    Paul

  2. ClaytonJames
    Member
    Posted 5 years ago #

  3. figaro
    Member
    Posted 5 years ago #

    I don't think they could actually change the password...just trigger an email to the admin to change it...which could be an annoyance. You may want to watch the following video for some security ideas.

    http://wordpress.tv/2009/07/11/brad-williams-security-montreal09/

  4. timjrobinson
    Member
    Posted 5 years ago #

    I've been getting the same thing for the past few weeks :(

    Just found http://ocaoimh.ie/did-your-wordpress-site-get-hacked/ today, might help find where they are installing backdoors.

  5. paulmp
    Member
    Posted 5 years ago #

    @figaro no they can actually change the password and the email address it gets sent to. I know because I've been cleaning up the mess for the last couple of weeks, a lot of my clients run wordpress sites too and they have had the same thing, some of them got fully hacked and had their website replaced with a grim reaper and link to some Iran security forum.

    - paul

  6. paulmp
    Member
    Posted 5 years ago #

    For example, one of my sites is currently down:

    http://www.paulpichugin.com/

    I'm going to fix it in the next couple of minutes

    - paul

  7. figaro
    Member
    Posted 5 years ago #

  8. paulmp
    Member
    Posted 5 years ago #

    Well in total I've had 6 of my client sites hacked, some of them have just had the admin password reset, but others have had their entire site defaced, if they are defacing the site, I'm guessing they have remote control of it.

    Also looking in the mySQL databases, the email account has been changed on all of them.

    - paul

  9. paulmp
    Member
    Posted 5 years ago #

    I worked out how they were getting into the other sites, on the first site they hacked they put in a backdoor script in the uploads directory, a "r57 shell" script.

    If you get hacked, make sure you check for this script, another one had a back door called "c100".

    Both of these scripts gave them shell access to alot of back end things.

    - paul

  10. paulmp
    Member
    Posted 5 years ago #

    This was related to the issue with 2.8.3 but they managed to get remote access as well as reset the admin password.

    Their SQL Injection helped them change the admin email at the same time as resetting the password.

    I've worked a resolution to change the first account to a dummy account that has minimal rights. that way if they figure out how to target the first account again, they still don't have access.

    - paul

Topic Closed

This topic has been closed to new replies.

About this Topic