WordPress.org

Support

Support » Plugins and Hacks » I got hacked!

I got hacked!

  • I’ve been using wordpress for about two months now and I love it. But this weekend my entire site got hacked by a “Turkish Hacker.” Here’s the page hijacked my entire site:

    http://www.iamabigdork.com/hacked.html

    I managed to fix it, but the incident freaked me out. How did this happen and how do I prevent it? Thanks!

Viewing 10 replies - 1 through 10 (of 10 total)
  • What plugins are you using? They tried it very often here to “starhack” my entire server but I was still able to lock them out because I use some sort of IP filter and the Cracker Tracker by cback.de (I have patched it a little).

    Can you also post some log entries here?

    foolswisdom

    @foolswisdom

    Moderator

    Most likely:
    (a) weak password
    (b) the vulnerability is in another piece of software on your computer

    What version of WordPress are you running? I do not know of any remote exploits for WP 2.0.x .

    The network and computers system logs are your best place to start looking.

    And, of course, improper file permissions can lead to disaster. Avoid world writable, for instance.

    <meta name="generator" content="WordPress 2.0.3" /> <!-- leave this for stats -->

    and im unsure where you got that info, foolswisdom but:
    http://unknowngenius.com/blog/archives/2006/07/26/critical-announcement-to-all-wordpress-users/

    Im _not_ suggesting that was the source of the problem, just pointing that out — and a working exploit does exist in the wild.

    foolswisdom

    @foolswisdom

    Moderator

    whooami, thank you for the comment. I had previously misunderstood the nature of that exploit, it does seem to be a remote exploit.

    Your website is still accessible here: http://www.iamabigdork.com/index.php

    So, I guess that what the hackers did is the following: He changed the .htaccess file to state that the first file to be served is the hacked.html . Usually, when they do this exploit, they don’t touch your website. They stop here. But, we never know.

    How did he do this? Either there is a weakness with your web host, and there is nothing you can do. Your host can help you to identifiy that. Because other accounts may have also been hacked.

    Or, you had a weak password (a word found in a dictionnary). With an automated script, it is very easy, a simple question of time. And thanks to the editors you found in “Manage > Files”, “Presentation > Theme editor”, “Plugins > Plugins editor”, “Links > Import links” and “Import”, you can freely edit and import new files in your web folder. I told this security flaw to the developpers but they didn’t care. It is there choices, they have to assume it.

    So, I hardened my wordpress. I changed the “admin” username to another word (done by tweaking it with phpMyadmin, http://www.tamba2.org.uk/wordpress/phpmyadmin/ instead of changing the password, change the amdin username), so the hackers will work only in the password field guessing your username is still “admin”. He will never get through ! Then, I erased the files: /wp-admin/templates.php , /wp-admin/theme-editor.php , /wp-admins/plugin-editor.php ,
    /wp-admin/link-import.php , /wp-admin/import.php and the folder /wp-admin/import/ (because I don’t use it). Then, in the .htaccess file, I added the following lines:

    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>

    ### ONLY THE FILE index.php IS SERVED AS THE BY DEFAULT FILE. OTHERS ARE FORBIDDEN
    DirectoryIndex index.php

    <Files ~ "^(index).(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]|jsp|xml)$">
    order allow,deny
    deny from all
    </Files>

    <Files ~ "^(default|home|main|install|admin).(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp|xml)$">
    order allow,deny
    deny from all
    </Files>

    The first line forbids the access to .htaccess, the second stated index.php is the only file used by default, the others are there for safety in case the hacker puts a file like index.html, etc, that shall not be served.
    Then, I CHMOD .htaccess, index.php and wp-config.php to 444 instead of 644.
    And, I NEVER CHMOD a folder to 777 even if a plug-in asks for it. You have to test it is working with 755.

    These are some tips, I hope some people may find them useful.

    @pozhonks: Thank your for this tips. I have done it all now.

    Might it also be a good idea to remove xmlrpc.php or is this *maybe* secure? I have 277 access attemps by a user-agent called “Internet Explorer 6.0” and as far as I guess its something like an exploitable-xmlrpc-search-bot???

    Oh yes, you are right, I forgot to mention to delete xmlrpc.php if you don’t use it.
    This file is useful if you want to use a third party software to write posts instead of using WP online interface.

    I also deleted wp-trackback.php used by spammers. Do it, if you don’t care about trackbacks.

    [offtopic]For handling trackback spam I have the Moderate Trackback Plugin and Referral Bouncer[/offtopic]

    I have seen many access attempts with an empty user-agent string. Is there a way of…

    1) blocking such attempts via .htaccess
    2) while letting RSS feeds pass through?

    It must be something like this:

    RewriteCond %{HTTP_USER_AGENT} ^$ [AND]
    RewriteCond %{BLA_BLA}
    RewriteRule BLA_BLA [F]

    It will not work this way and I’m not good in writing .htaccess.

    … or just download and install the Bad Behavior plugin.

    http://www.homelandstupidity.us/software/bad-behavior/

    But yeah, wandering a bit from the original topic!

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘I got hacked!’ is closed to new replies.
Skip to toolbar