Compromised wordpress installation

Er Qi Yang
(@erqiyang)

14 years, 8 months ago

Recently, my installation of WordPress has been compromised. The attackers defaced the index.php file in my themes folder, and potentially done some other damaged to the wordpress engine as well.

For the past few days, I’ve been communicating with my webhost for the problem of the attack. They maintained that their server was not compromised, and that the attackers managed to gain access into my account through a flaw with wordpress, as they claim they have other users facing similar issue.

Looking at the raw access log of the server, I can see an IP address originating from Latvia (highly suspicious!!!) attempting to access the file wp-login.php …

It was accessed around the same time that the compromise took place. No other files was accessed.

I would like to know if anyone else has encountered similar incident, and if it’s even possible for attackers to modify the themes just only by accessing the wp-login.php file.

Viewing 3 replies - 1 through 3 (of 3 total)

Samuel B
(@samboll)

14 years, 8 months ago

yhe latest version of wordpress has no known vulnerabilities
yhr tim thumb plugin – also used in some themes – had a security issue, nut a new release a few weeks back took care of it

http://codex.wordpress.org/FAQ_My_site_was_hacked

http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

http://ottopress.com/2009/hacked-wordpress-backdoors/

when done
http://codex.wordpress.org/Hardening_WordPress

wearetoysoldiers
(@wearetoysoldiers)

14 years, 8 months ago

Yes, I experienced the very same thing last night around 1:23am. It said my site was hacked, when in fact it was some sort of loophole found via wordpress which placed an ‘index.php’ file in all of my folders. I deleted them and re-uploaded the necessary ones for WP. I was checking for a new update but seems there hasn’t been any and luckily I’m not the only one this has happened to. (At least I’m not crazy lol.)

Thread Starter Er Qi Yang
(@erqiyang)

14 years, 8 months ago

Thanks Sam for the links. I certainly am going to read through them a few more times to ensure no such repeat. I am still wary of other means of security flaw, for example, stolen password through key logger, and am thinking of the possibility of using Google to authenticate admin access to my blog, since Google has the 2-steps authentication. Anyone has any experience on that?

wearetoysoldiers: I am not exactly sure you call that lucky, though I can imagine if a index.php file has been placed in all my folders, I will be wanting to do a clean re-install. Thankfully, my data is pretty mobile with the export/import function, and a couple hours downtime should do the trick.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Compromised wordpress installation’ is closed to new replies.

Compromised wordpress installation

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics