I have WP v2.6.1 with the 3 secret keys in use in the wp-config.php file. I do not allow comments on my site. I use the Indomagz 2 theme. I keep my plugins up to date daily.
Three says ago, when I tried to reset my domain's account password, I found I was unable to change the password, and when I clicked on my domain server's help forums link, I got a downloader trojan.
I thought this was my server's fault, until I looked at my WP database.
Five days ago, someone got into my WP database and created two "test" databases. (I don't even know how to do this! - and they weren't there 8 days ago.) One database had tables with names similar to what I got from the downloader trojan. The other database contained obscene jokes, that I think are part of a future attack.
My Norton Antivirus said the downloader was a high risk ajax exploit attack called HTTP MS Works 7 WklmgSrv ActiveX Code Execution. But I could find no info on it, even googling it didn't help.
I don't use MS Works. Do any of the WP plugins use MS Works?
I think it was my WP that was hacked.
Any suggestions on how they got in?
I use the Hashchecker plugin. Sometimes it returns an "all good" result in 5 or 10 minutes and other times it returns nothing even after an hour.
No other parts of my domain seem affected, just the WP database.
I do backups of my files and my database & run virus & malware scans on them & they're clean.
I thought I'd be smart and create a new db and import my pre-five-days-ago db backup into it, update the wp-config file for the new db name, user, password and host and all would be good. But I got an error connecting to the database message. I must have done the export incorrectly, although I followed WP's directions.
Around early June 2008, I saw an article on how to look at logs or code or something to determine hacking attempts. I think it was a dashboard link, and the article was written by a woman. But I can't find it anywhere now. Anyone know where this article is?