[resolved] 2.2 Hacked (31 posts)

  1. Ilione
    Posted 9 years ago #

    I think I've accidentally closed my earlier post on this topic, so I'm really sorry for the repeat.

    I upgraded my installations of wordpress about 5 days after 2.2 came out and now it seems one of them has been hacked.

    You can view the disaster at digicoremusic.co.uk

    I've found that they've messed with the theme but I'm leaving it for you guys to have a look.

    The real problem is that I can't even login to the admin, it says 'invalid username' so they really have messed with it.

    Wanted to let you know -- and also any help fixing would be wonderful! I've contacted my host so i'll keep you updated.

  2. Ilione
    Posted 9 years ago #


    Not heard from the host yet but I managed to install an older sql database and get back into it. Going to change the password there and on my host now!

    Will leave the main page as it is just so you can see it and let you know what my host has to say when they get in touch.

  3. whooami
    Posted 9 years ago #

    its really not a good idea to leave the page up -- for a couple reasons:

    1. most importantly, you are just providing free advertising for the hackers.

    2. While I checked and there are NO hidden iframes or malicious javascript calls on that page -- what IF there were? I'm guessing you didnt look for those. :P

    Youve contacted your host. Good.
    Youre working on getting your site back. Good.
    Changing your passwords. Good

    Work on applying safe, sound permissions to both your files and your directories >


    Update your xml-rpc.php file >


    and kill that page, please.

  4. Ilione
    Posted 9 years ago #

    Hey! Thanks for the reply,

    Yeah, I did notice that the page was free of evils or I wouldn't have left it up =) I just wanted people to be able to see what it looked like as there have been no confirmed reports of 2.2 hacks on here yet that I can see? I did have a good snoop before I posted.

    I also wanted my host to see it... they still haven't got back to me yet =/ I've started working on making it look normal again now anyway, too impatient!

    My permissions are cool but thanks for the heads up on the xml-rcp! Just updated it on all my installations =)

  5. breakingball
    Posted 9 years ago #

    Update your xml-rpc.php file >

    Is there a reason this information wasn't announced? Kind of a fluke I saw it here (ambulance chaser that I am, I'm drawn to "Hacked" topics).

  6. whooami
    Posted 9 years ago #

    You see my response to it not being so, dont you :P

  7. Ilione
    Posted 9 years ago #

    Ok here's something possibly weird.

    When I changed back to an old mysql database in cpanel, I noticed that there was an IP under access hosts on the account maintenance screen.

    When I looked up the IP it was a blueyonder user (an ISP over here in the UK)

    Does this mean that someone has been accessing my mysql with a remote host type thing? and if so, wouldn't they have needed my domain passwords to set it up/use it?

    If that's the case then they must have hacked my domain/hosting account and got in that way, as apposed to it being through wordpress.

    I'm super confused now! and still no word from my host...

    It won't even let me delete the remote access IP from my account grrr

  8. Ilione
    Posted 9 years ago #

    An update...

    Well, two of my wordpress 2.2 sites have now been hacked four times.

    My permissions are all 644 or 755, I updated the xmlrpc, I checked my plugins (only use 3) changed every password I could think of -- and checked for any odd files/scripts. I still keep being hacked :o/

    In the access logs and you can actually see these guys logging into my wordpress, I have no idea how they're deleting the admin user in the database and adding themselves first though -- but it's happening every time.

    I'm just lost, one of these sites is my business and it's so useless at the moment

    Does anyone have any suggestions?


  9. whooami
    Posted 9 years ago #

    I would be curious to see your access logs -- especially the bits before they login. if youre feeling generous, send them along to me @ whoo @ REMOVE THIS village-idiot.org

    you did check to make sure that the users table in your database contained only users you knew right?

  10. macsoft3
    Posted 9 years ago #

    >changed every password

    How are you making your passwords?

    If your password consists of English alphabetical letters and numbers and is short enough, I'm sure cyber idiots could break it. WP allows to use Greek characters for an admin password. And some web hosting companies also allow their clients to use Greek letters and special characters for control panel access while others don't.

    If you have a password of 12 letters consisting of Greek letters, special characters, lower case and upper case letters, the number of combinations can be as large as 784,716,723,734,800,000,000,000.

  11. Does anyone have any suggestions?

    Yes. Send these access logs to security@wordpress.org along with any other information you can find that will help them to understand what's going on. If it's a WordPress issue, then they need to know it.

    Also, if they have direct access to your database, then they can do whatever they want without going through WordPress at all. Change your database password. You'll have to edit the wp-config.php file to match as well.

  12. Ilione
    Posted 9 years ago #

    whooami, I've sent along a log that I downloaded today for you to look at =)

    The database only has one user and that's me, until they delete me and replace me with themselves! I'm sure there must be something I'm missing here.

    macsoft3 I've just been making passwords with standard letters and numbers but they've been very long. I might try Greek next time though.

  13. Ilione
    Posted 9 years ago #

    Otto42, I made a new database user and password and deleted the old the second time it happened. I'll look into gathering stuff for the security, I just don't have many logs because I only started downloading logs the other day and I hadn't been saving logs on the server =(

  14. whooami
    Posted 9 years ago #

    sweet, thanks! I think it just came -- off to take a peek

  15. whooami
    Posted 9 years ago #

    did you notice that 2 of the referers in those logs point back to forums obviously run by script kiddie hackers. I dont speak or read arabic or wtf language this is but a translation would be fascinating if anyone recognizes it:

    السلام عليكم ورحمة الله وبركات
    شخباركم يالربع ان شاء الله طيبين

    المهم انا دعست لكم موقع على كيف كيفكم

    وان شاء الله الجاي اكثر

    هذا هو الموقع

    I registered on one of the forums and your link is there.

  16. whooami
    Posted 9 years ago #

    hmm actually, lets see:

    Google's arabic to english translator spits out:

    May peace and God's mercy and blessings Chkhbarkm Erba, God is good, I Dost site on how you Kipkem God coming over this is a site

    The other forum post reads:

    تم اختراق http://thedogwalker.eu/wp-content/ ولله الحمد

    Which translated means:

    Been penetrating http://thedogwalker.eu/wp-content/ thankfully

  17. Ilione
    Posted 9 years ago #

    I did a google search for my domain and 'hacked' yesterday and found myself on a list.

    I don't really know what they think attacking the site of a dog walker is going to accomplish.

    It's so annoying that I can't see how they're doing it though. I really thought I had everything locked down yesterday =/

  18. whooami
    Posted 9 years ago #

    judging by the log you sent me -- theyre just logging in, and once logged in have the proper permissions.

    You said you created a new database? Do you have any users registered since that new db went live??

    They also made posts -- who was the author of the posts? You?? or someone else?

  19. Ilione
    Posted 9 years ago #

    It's an old db from before all the hackings started happening but I had created a new user and password after the second time they hacked me, to try stop them getting into it. I'm going to change my database username and password again now I think.

    I only ever have one wp user (myself) in the db and there are never others as I don't even have registration set up.

    When it happens, they seem to have added a new user to my db and deleted me, so i can't log in any more. I have to go into phpmyadmin, drop the tables, import my old db again, go log into wp and change the wp password, then save the db again for backup with the new password... or I lose track of the password changes!

    I just can't see how they could access my db to add themselves as a wp user, it's like there's a piece of the puzzle missing.

  20. Ilione
    Posted 9 years ago #

    The last hack was posts of their mess and not my entire theme changed -- because I turned all of my theme's file permission 644 so no more theme editor for them to use when they logged in

  21. I just can't see how they could access my db to add themselves as a wp user, it's like there's a piece of the puzzle missing.

    There's a difference between the WordPress user/password and the database user/password. Which have you been changing?

    If you have not been actually changing the database user/password and editing wp-config.php to match, then they may have that information and can thus get in whenever they like.

    The database password is not something you can change within WordPress itself. You need phpMyAdmin to do that sort of thing, or your hosts tools. cpanel, maybe.

  22. Ilione
    Posted 9 years ago #

    Otto42, I change the wordpress password every time it happens but I changed the database username and password in mysql maintenance after the second time I was hacked. I've just changed it again too =)

  23. There is also the possibility that they have access to some other site on your shared server and are able to read your wp-config.php file even despite your changes. If this is the case, not much can help you except to move to another server or get a dedicated server or get another host or something. You can try setting your wp-config.php file to lower permissions as well.

    Try these permissions on the wp-config.php file: 400, 440, 444. Use the lowest number that allows the website to continue to function. If you find that you have to use 444, then you may not be secure on that server regardless of what you do.

    Another trick I like to use from time to time: If these are truly idiot script kiddies, then they could be fooled by simple obfucation...

    You could run this script on your server somewhere:

    echo convert_uuencode('newpassword');

    to get an encoded version of your password. Then change wp-config.php to look like this:
    define('DB_PASSWORD', convert_uudecode('ENCODEDTEXTHERE'));

    Okay, so that's easily defeated by anybody with a clue, but it sometimes stops kiddies. You can do the same with base64_encode and base64_decode instead, if you like.

  24. Ilione
    Posted 9 years ago #

    Thanks Otto42, I've changed the config files on both of my sites to 444 which was the lowest it would work at and I'll see if I get through my first none hacked night since it started =)

    Your other suggestion looks fun and sneaky to try though lol

  25. Ilione
    Posted 9 years ago #

    They got me again, same thing, changed the admin password in my database and then logged in to wp and posted their mess.

    My config was 444, now I'm so confused =(

  26. Like I said above:
    If you find that you have to use 444, then you may not be secure on that server regardless of what you do.

    444 is *not* secure. That means it's world readable, anybody else on your shared server can read the wp-config.php file.

    I would complain to your host or get a new host.

  27. Ilione
    Posted 9 years ago #

    Yeah, I've been trying to get a response from them since Friday and nothing... I think they probably have an influx of angry customers

    Thanks for the help Otto42 =)

  28. FurrTrap
    Posted 9 years ago #

    With WP 2.2.1 on Bluehost.com, chmod 0400 wp-config.php seems to be working OK. I haven't tested it extensively, but the site runs fine so far.

    I can't remember where I read it now, it *was* an SQL site, but the issue of wp-config.php was raised as being a security issue as it's normally 644 and on the website. There was a workaround - damn where was that link? - to place the MySQL database password outside of the web branch and still get it to work. The point of the article was there are security issues with the SQL pass being on the website aside from any shared hosting environment issues.

    wp-config.php has always given me the willies regarding SQL access.
    Much happier that chmod 0400 seems to be OK with this critical file.

  29. Ilione
    Posted 9 years ago #

    Sorry it took so long for me to update =)

    I left my host and got a new one. I think they screwed up big! I'm not sure how people got into my blog - I can only assume it did have something to do with people getting my password from the config - but like I say, that's just an assumption.


    Thanks for the help you all gave. When things go badly wrong, it's nice to know that there are people willing to help


  30. sdickert
    Posted 8 years ago #

    Ummm - I am having a completely different problem. Last night/this morning - I suddenly found my blog with a new screen that showed the Welcome screen for the site.

    I tried the install/upgrade path - it complained about a lot of tables missing - and then said it was done. Then, it started to have me go through the setup path all over again.

    I deleted all of the files as instructed, and reinstalled the new code. Now I can not recover my site - the database was already blown.

    Any idea what happened?


    And - FYI - this started around 9am this morning...

Topic Closed

This topic has been closed to new replies.

About this Topic