Support » Fixing WordPress » 2.6 Got hacked by exploit?

  • I got hacked and don’t know how. I had the latest version at the time (2.6) Since then, I upgraded 2.6.1 but still afraid the exploit might start again

    The results is this:
    – many wordpress files deleted including “wp-admin”,
    – index.php deleted
    – wp-config.php deleted
    – the database seems not to have been compromised.

    all the remaining files in the directory are clearly displayed.
    you can see a similar hack on google, see which similar files have been deleted:

    If someone has reported same issues, please share with me. I could not find through my logs what happened.

    I suspect a plugins issue… or strangely “wpau-backup” seems to be present at each hack. i noticed somehow that people which haven’t cleared their wpau-backup directory have a copy of all their files directly accessible which give a clue to installed plugins or might open a security breach.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Right, a little ‘Googling’ shows that a great lot of WP sites have a wpau-backup folder and it appears to be writable too, since I ran into one hack. The WP-hackers mailingslist discusses if this is a possible hacking possibility. I have used the plugin myself, but I have no such folder, so I guess the people who DO have the folder, didn’t use the cleanup function of the plugin.
    In you case the hacker ran into the folder and was then somehow able to find your other files? THAT’s serious! You still have the wpau-backup folder, better start by deleting that one, have a look at the files permissions and find the article called “Hardening WordPress” in the “codex”/”docs”.

    [edit] An interesting discussion about the subject can be found here.

    I have released a patch to urge people to cleanup their files, please upgrade to latest version and run the cleanup operation.

    Whoa. Well, what is the latest version? I used 1.2.2. Is there a more recent version than that to use for cleanup?

    Also, I have the wpau-backup folder on my server now. It appears to be empty. Does that mean there’s still a problem to be cleaned up?

    Gangleri> thanks for the info.
    the folder has been deleted since.

    Keithdsouza > i think that you should include in your plugins a security note. maybe give an info on how to configure .htaccess to prevent accessing the wpau-backup directory.

    I think that “wpau-backup” should be by default not accessible via the web. this should prevent any possible exploits using php files in this directory, in addition to clean the installation.

    This seems to be the last one. 1.2.2 Indeed.
    As far as I know, all previous versions urged to cleanup after the upgrade, but apparently not everybody did. I would advice to delete the folder when the upgrade is done (in my case, the plugin did so), even when it’s empty (there’s no use for it then anyway).
    Bloubby, ALL folders put on the web are accessible. The problem is that we now all know that this folder is indexed by Google so everybody not doing what the plugin suggests is easily tracked down. Better to follow the instructions closely.

    [edit] Keith. Just wondering. The WP Database Backup plugin seems to make backups without writing to the server (which IS optional but not recommended). Wouldn’t it be possible to make your backups that way too? That other plugin makes a backup, you save it to your PC and there’s nothing on the server, so no extra risk.

    Well, it would be nice to get some kind of definitive answer from Keith—or anyone. I didn’t even install the plugin until 1.2.2. It ran perfectly, and I absolutely *did* the cleanup. I nevertheless have an empty wpau-backup folder on my server now. Should I do more?

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘2.6 Got hacked by exploit?’ is closed to new replies.