WordPress.org

Ready to get started?Download WordPress

Forums

[closed] WP 2.0.4 hacked: Someone changed my username and password (29 posts)

  1. thegentle
    Member
    Posted 7 years ago #

    My old blog about Rio de Janeiro got hacked last night. It's based on WP 2.0.4

    I woke up to an email announcing "Password Lost and Changed for user: admin"

    I tried to login to see what was going on, but I couldn't. I tried to get it to send me a new password, but it didn't recognize my email address. I had to login to my mysql database to figure it out.

    It turns out that someone had changed the email to croconile@inbox.com and had logged in and made about 6 posts announcing that croconile had hacked the blog and denouncing the pope and Israel.

    What I want to know is how someone could have changed the admin's email address? Did they hack into my mysql database too?

    Anyway, I managed to change the email address and get back in and back everything up, but still, how did this happen? Any ideas?

  2. Do you have any other scripts that have access to that same database? I ask because we aren't aware of any security issues with that version of WordPress (or at least I'm not).

    I'm thinking they either guessed your password or hacked a different script on your site which gave them access to your database where they could then change the password and/or e-mail on your account.

  3. thegentle
    Member
    Posted 7 years ago #

    UPDATE:

    After doing a little research on Croconile, I've gathered that he's probably Egyptian (the croconile is the Egyptian soccer team mascot). He hates Israel and the Pope.

    He's also fairly benign and explained himself on a phpBB forum that he hacked.

    Here's what he said:

    I didn't do any damage.
    And i didn't know what your password is.

    I simply hacked one of the sites on the hosting company (you are part of) it used "photokorn 1.52" thats how i got in ,i read the /var/cpanel/accounting.log and got to your site ,i saw the config.php ,connected to the database ,changed the user/pass ,then changed the site name/description.

    that's all my friend :D peace :)

    So, I think my issue is with my hosting company. In which case, all is probably well in WP land. I just wish there were a better way to protect the wp-config file.

  4. Chris_K
    Member
    Posted 7 years ago #

    Wow - thanks for the followup! Definitely want to share that with your host too :-)

  5. yosemite
    Member
    Posted 7 years ago #

    You can try adding this to the .htaccess file in the root directory of the WP install:
    <Files "wp-config.php">
    Order Deny,Allow
    Deny from all
    </Files>

    But that won't do anything if someone has/got shell access.

  6. Sounds like it's time for you to find a better host -- one that doesn't have such crappy server configurations.

  7. thegentle
    Member
    Posted 7 years ago #

    Thanks Yosemite, I'll fix my .htaccess

    I talked to my host (IX Webhosting - don't use them, they're morons) and they think that the cracker used a MYSQL injection attack. They were at a loss as to how to fix it and blamed WordPress and phpBB (my friend's phpBB also got hacked) for the vulnerability. So, we're playing the blame game. I'm going to switch hosts, but I'm not confident that it will solve this vulnerability.

    I'm no pro, but it seems clear to me that the wp-config.php is one of a few weak links here. I don't know if anyone who knows more about this can do anything about that.

    Here's to hoping that "given enough eyeballs, all bugs are shallow."

  8. clarke1866
    Member
    Posted 7 years ago #

    I too am no security expert, but putting the fault onto WordPress seems absurd given the hacker had the MASTER password to your hosting account. He could change anything independently of wordpress. To use an analogy, it would be like a thief having keys to your house and you blaming the jewellery box company for the loss of all your valuables.

  9. thegentle
    Member
    Posted 7 years ago #

    clarke1866,

    I can't be sure that he had the master password to the account. There's no evidence of that whatsoever.

    What there is evidence of, is that he cracked the mySQL database. That is, he got the login info for the database.

    It's likely that he got the information from wp-config.php

    Again, I'm no expert, but these are my initial thoughts.

    A) My hosting company should be able to protect files like wp-config.php from prying eyes.

    B) WordPress should do a better job of hiding wp-config.php. If I remember correctly, I was able to delete Movable Type's config file after installation (then again, installing MT was a nightmare).

    Let me say one more thing, I'm not blaming anyone for anything, so I hope no one feels obligated to defend WordPress. I'm here to present a problem with the hopes that the WP community can help find a solution.

  10. vkaryl
    Member
    Posted 7 years ago #

    It *should* be possible to place wp-config.php outside your publicly-accessible-by-browser area, by changing the path to wp-config.php in wp-blog-header.php.

    I haven't tried it myself, though I hope to have time to mess with it some in the next few days. I have other scripts which work this way, where the config info resides in, say, an includes folder above the domain root.

  11. croconile
    Member
    Posted 7 years ago #

    HEY

    I just read the wp-config.php "using a PHPshell" connected to the database changed the e-mail and logged in :D

    And i hate israel and every jerk insulting islam.

  12. vkaryl
    Member
    Posted 7 years ago #

    So croconile, are you admitting that you hacked into others' wp-installs?

    Hmmm.

  13. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    PHPShell is a way to run shell commands via a webpage. So I'm assuming he got access to the host via some other insecurity and used PHPShell to read files and such. From there it's easy.

    Unfortunately, there's no solution to this sort of thing. Anybody able to read your wp-config.php will have total access to your stuff. This is not easily preventable, really. In theory you could remove priviledges from key portions of the database by having an admin user, and then have the actual WordPress user account only have read access or something. But it would be problematic at best. Still, might be worth looking into.

  14. vkaryl
    Member
    Posted 7 years ago #

    Well, it's just another reason to be sure to keep good backups. No point in worrying about it - people are what they are....

  15. thegentle
    Member
    Posted 7 years ago #

    Hold on..."No point in worrying about it?"

    I'm being hacked. My data is vulnerable. I'm imagining it's my host's fault for letting someone get in and use PHPshell, but still.

    I've always been a little nervous about the wp-config.php holding such valuable information. Now my nervousness has been validated.

    I admit, I'm still something of a novice, but can anyone assuage my fears here? Is there not a better solution?

    Also, is there any danger in making my .htaccess world writable? Or is there another thread for that?

  16. vkaryl
    Member
    Posted 7 years ago #

    Your wp-config.php file is NOT readable in a browser. Just try it. Input in a browser address bar the exact address to your wp-config.php file.

    There is a danger ANY TIME you make ANY FILE world writeable.

    My point as to "worrying" or not is that there's practically nothing you CAN do about someone who's using a cracker program - there's nowhere you can put something to keep such a person from accessing it.

    Ergo, there's no point in worrying about it, because there's little practical that you can do about people who hate and act on that hate.

  17. whooami
    Member
    Posted 7 years ago #

    Also, is there any danger in making my .htaccess world writable?

    The answer to that question ought to be painfully obvious, unless you are simply slow.

    I dont mean to be rude, but you are worried about wp-config.php "containing valuable info" and yet you have to ask about leaving the door mat to your entire domain wide open?

    c'mon.

    Here it is - is in black and goddamn white, for the 10,0000th time:

    CHMODDING DIRECTORIES TO 777 IS ILL ADVISED.
    CHMODDING FILES (ESPECIALLY FILES LIKE YOUR .HTACCESS) TO 666 IS ILL-ADVISED.

    I'll go one better, its not just ill-advised its stupid, and uneducated, and like the saying goes, ignorance is no defense.

  18. whooami
    Member
    Posted 7 years ago #

    and just so everyone knows .. getting a php shell is easier than you think..and its attempted all of the time -- most of you just dont read your damn logs so you dont even know it.

    Eventually, someone has got to step up and take some goddamn responsibilty for what happens to THEM instead of passing the buck onto WordPress or their damn host.

    You dont have a license, you dont get to drive, kids.

  19. vkaryl
    Member
    Posted 7 years ago #

    Well, yeah. It is. Which was why I said there's not much point in worrying over it. You can only do so much. Since that sort of thing is available practically wholesale, and since many hosts are, I guess you can say, still in the dark ages, there's just no reason to get ulcers about it.

    Make redundant backups. Fine-tooth your logs. What else? Oh yeah.... DO NOT UNDER ANY CIRCS LEAVE ANY FILES OR FOLDER WORLD WRITEABLE - no matter who tells you it's okay (matt? you listening?)

  20. whooami
    Member
    Posted 7 years ago #

    the trouble, vkaryl, is that if it were not for the legions of drones that read this forum, and get hand-fed bullshit every damn day; they're coddled, so much that they cant even find Google, much less use it. If it were not for them, croconile, and people like him, would have nothing to do.

    If that insults someone, thats too bad. Maybe you need to pick up a book about what the Internet is, and worry about getting a grasp on that, before you worry about why your damn permalinks dont work.

    Im tired of this shit. And if this qualifies as a meltdown, so be it.

  21. vkaryl
    Member
    Posted 7 years ago #

    May I join you, m'friend?

  22. kokorozashi
    Member
    Posted 7 years ago #

    Meltdown? Maybe. More importantly, you were so busy displaying your leet skillz that the people you're sneering at understood nothing you said. First and foremost, try to be useful.

  23. kokorozashi
    Member
    Posted 7 years ago #

    World-writability is in general undesirable for any file under any circumstance. If you were to make .htaccess world-writable, you'd become vulnerable to all kinds of attacks which are both deeper and broader than WordPress and might well result in all manner of bad things happening to your web site hosting account in general. So: not recommended. What problem are you trying to address in proposing this? There is probably another solution.

  24. whooami
    Member
    Posted 7 years ago #

    piss off kokorozashi. leet skillz? I dont think so.

    Come back after youve youve put your time (lets say 1-1/2 years) in coddling to the people that cant even help themselves.

    Nice job dumbing it down, what you dont understand, is that it doesnt matter how simple you make it.

    You just wasted your typing time, friend. And save your insults for someone deserving. Ive long since earned my stripes here.

  25. vkaryl
    Member
    Posted 7 years ago #

    Besides which, of course, we'd already both said the same thing....

    Oh well.... such is life....

  26. DesignDroide
    Member
    Posted 7 years ago #

    I think that you shuold create a new DB and from there basically makea new WP you can always import your old post via RSS feed

  27. thegentle
    Member
    Posted 7 years ago #

    whoami is an asshole.

    That said, lesson learned. I'll no longer heed WordPress's requests that I make my .htaccess writable.

  28. whooami
    Member
    Posted 7 years ago #

    whoami is an asshole.

    No, I'm smart and you would do well to heed what I say.

    I'm not the reason you were hacked, Im telling you like it is. You just dont like what you've heard.

    You, generally speaking, need to be intelligent, and use some common-sense, and if you wont, or cant, or refuse to, then you ought to get OFF the Internet.

  29. moshu
    Member
    Posted 7 years ago #

    If there isn't anything constructive/useful to be said here - only personal attacks... you force me to close this thread.

Topic Closed

This topic has been closed to new replies.

About this Topic