WordPress.org

Ready to get started?Download WordPress

Forums

WordPress 1.5.2 Hacked (6 posts)

  1. david67
    Member
    Posted 7 years ago #

    Hello,

    My WordPress 1.5.2 was hacked!

    In fact i kept this version because i found it lighter and i was lazy to update to the 2.x

    but yesterday, i was told my session has expired, and my pass didn't work anymore

    i checked the databases and the mail of the admin was changed to another one ! i guess this is some sql injection, the hacker put his email in the database and resend the pass to his address.

    so i'm updating to 2.0 now.

    Is there some places (in the database) where i should look to check if there is no backdoor left ?

    i found that about 1.5.2 vulnerabilities :
    http://me.abelcheung.org/2006/05/24/no-more-wordpress-1-5-x/

    thanks

    D.

  2. Inspired2Write
    Member
    Posted 7 years ago #

    Hi David,

    You may want to check with your host. They may be able to provide you with some information about how you were hacked. Maybe that might help to identify what may still need to be closed up. HTH!

  3. david67
    Member
    Posted 7 years ago #

    Inspired2Write : thanks! What kind of informations from the host should i ask ?

    I installed wordpress 2.0.5, and the only files from
    the 1.5.2 version i kept (fearing the backdoors) are the wp_config.php and the .htaccess so is it possible to put backdoors in the sql ?

    thanks !!

    David.

  4. Inspired2Write
    Member
    Posted 7 years ago #

    Hi David,

    My knowledge is pretty limited in regards to this topic, but I've learned from other forums when someone has been hacked that their host can sometimes provide information as to how, and or where the vulnerability was. So, they may be able to help you identify where the door was. You may want to start a support ticket with your host by informing them your site was hacked, and ask if they have any information about it. They should know what to look for from their end to possibly identify where the door was.

    Other than that hopefully a mod or someone more knowledgeable than myself may be able to instruct you in regards to specifically what to look for within your WordPress database for that previous version, or how to get things closed up securely again since you upgraded.

  5. david67
    Member
    Posted 7 years ago #

    thanks ! i'll just ask my host so ;)

  6. Brian Layman
    Member
    Posted 7 years ago #

    Hi David,

    Unfortunately, this is a risk of running anything older than WordPress 2.0.4. There's a large number of people who have the know-how to wreak havoc on these older blogs at will. You are very lucky to have posts and comments left on your blog. I've been sitting on a 7 page post for the last 6 months about this very subject. Your question has convinced me to finally clean it up and hit the publish button. If you want to know some of the things that could have happened, wander over to http://www.thecodecave.com/article249 and take a gander. It's a bit late now, but maybe someone that hasn't upgraded yet will wander into this post.

    Please use your experience to convince your friends to upgrade. In the future, if you value what you've written, you really should upgrade more quickly. WordPress 2.0 came out a year ago. The WordPress 2.0.4+ world is never again going to be as vulnerable as the 1.x world was, but modern releases are going to include security fixes. Even 2.0.6 will have a security fix. Look for that to come out very soon. WordPress 2.1 will be following quickly on its heels.

    As for what to do now that the fox was seen leaving the chicken coop, I do have several recommendations.

    1. You need to change the password to your database and in your wp-config.php file. This is NOT the password you use when you want to post something. This is the password you put in wp-config.php when you first created your blog. You might never has seen or used that password since that day, but if you were hacked, someone else possibly has. Your webhost may have to help you do that, if you are not familiar with the procedure.

    2. You need to change the password you use when you make posts. This should be done AFTER step 1 is completed even if that means changing your admin password twice.

    3. Review the list of users on your blog. This should be done on a regular basis. One of the attacks I've tested on the older version of WordPress involved ugrading a normal user to an Admin user. You should review your list of users on a regular basis.

    4. Look at your file lists and deleted any files that you don't recognize. Files like CMD.TXT etc. are often placed on websites and used to attack other websites.

    5. Set the access rights to the files on your website. Perhaps someone will post their preferred access rights. Some people run a tight ship, others don't. This is done with telnet access and running the chmod command. I'm not going to make a recommendation at this point. Frankly, I'm not sure I would make the right recommendation for everyone. If you tell your web host that you want to make it so that people can't upload scripts to your site, they can probably change the rights for you.

    6. Make sure you don't have any strange plugins installed. This is pushing it, but if you know you've been safe, it is best to check everything.

    7. Evaluate if this attack has made you vulnerable anywhere else. Do you use the same password for your email as you did for your blog? Surely it isn't the password for your banking site or anything, but are there any other passwords you need to change?

    That's where I'd start. I hope that helps...

    The other reason to let your host know, of course, is that this attack may not have come from the WordPress side of things. Quite often small hosting companies have little "oops" mistakes that allow one account to spread a worm into another account. So, without knowing more about the attack, I can't evaluate where the hole is.

    In anycase, as a responsible user, you need to let them know. Besides if the hole is on their side, this will happen again and again and again no matter what version of WordPress you run.

    I hope this all works out for you...

    Cheers!

Topic Closed

This topic has been closed to new replies.

About this Topic