WordPress 2.5 hacked – need help to stop hacker from returning

  • wingedmonkeys

    (@wingedmonkeys)


    16 years ago

    I got hacked the night before last (http://mediationchannel.com). I found out about it when a reader contacted me to say he couldn’t access my blog. Instead, he got the wp-admin/install.php page. When I checked myself, sure enough, I found the same issue. I couldn’t even access my own admin page.

    First I thought it was a problem associated with upgrading to WordPress 2.5 over the weekend. But then I got an unpleasant surprise.

    I went into my SQL database and discovered that my wp_options table had crashed. I repaired it using phpadmin, and was then able to gain access to my site. On a hunch, I checked my wp_users table and discovered that someone the previous night had broken into my WordPress admin, created himself a user account, and set himself up as admin. Then he evidently destroyed the wp_options table.

    As best I can tell, there’s no other damage to the site, although the pages all turned into posts after I repaired the wp_options table, which I had to fix. The problem though is that I’m worried this guy might come back and do worse damage, and I have no way of knowing what other surprises he’s left for me. I’ve removed the hacker as a user, and I’ve changed passwords everywhere, both on the blog and on my web host’s cpanel. My web host has been most unhelpful in dealing with this (inmotionhosting.com).

    What’s scary is that I thought I’d taken appropriate precautions, taking care with file permissions, passwords, updating plugins, you name it. I thought upgrading to 2.5 would protect me, but the hacker got in after the upgrade.

    I’m not sure what else I can do. Could someone please tell me what else I need to do to protect myself? (Simple instructions please — I am still learning my way around WordPress!)

    Thank you kindly in advance for any help you can offer!

Viewing 12 replies - 1 through 12 (of 12 total)
  • Roy

    (@gangleri)

    16 years ago

    From what version did you upgrade? Your story doesn’t indicate that it has something to do with 2.5. As a matter of fact, besides an extra user and a crashed table, where’s the hack? Did you see if there are files corrupted, do you have spam anywhere on your site (whether visible or not), redirects, adds that shouldn’t be there? I see nothing such on your site. As far as I’m concerned, most of the things you experienced could be due an unlucky upgrade, but of course the new user is a strange one. Question is, what was the hacker planning to do than just create a user (did you ever manage to crash a table while working on the dashboard?), but then again, maybe (s)he plans on coming back. If you don’t trust things (I wouldn’t), a good start to monitor things may be Whooami’s plugin. (She doesn’t seem to be around to suggest it herself, so allow me.)

    Good luck, and do keep us posted when your discover something.

    Btw. The Ask Apache Password plugin may make you feel more secure. It adds an .htaccess password to your admin, config, etc. folders.

    ganzua

    (@ganzua)

    16 years ago

    if this was actually a hack, then 2.5 has a security problem

    Thread Starter wingedmonkeys

    (@wingedmonkeys)

    16 years ago

    Gangleri, thank you so much for your response. I upgraded from WordPress 2.3.3 — whichever was the most recent upgrade prior to 2.5. I’d been conscientious about taking care of upgrades right along.

    It is odd that there was a new admin. Plus the fact that the upgrade, which I completed on Saturday, went just fine, and this issue didn’t appear until very late Monday morning. Just weird.

    Thanks for suggesting Whooami’s plugin. I’ll check that out. A friend just suggested the Ask Apache Password plugin, but I was a little daunted because it looks, judging from the comments on the site, like I’d need to monkey around with file permissions to be able to install it properly.

    Thank you again for responding. I really appreciate it.

    Roy

    (@gangleri)

    16 years ago

    IF this was a hack, my idea is that it was there in the old version (that is probably not 2.2.3 or 2.0.11). If that’s not the case, there might be a serious problem for all of us. Wingedmonkey, please enlighten us.

    [edit] I was typing this at the same time as Wingedmonkey, so I hadn’t read that post yet. [/edit]

    Roy

    (@gangleri)

    16 years ago

    I use Ask Apache and it works like a charm.
    If I were you, I’d just wait a few days and see if something strange happens, install Whooami’s plugin to keep track on things, have a look around your logs and scan through your files for anything fishy and all that just to be on the safe side. I’m still not sure if this was actually a hack, but of course I wouldn’t take the chance.

    If it was a hack of 2.3.3, then there’s still a problem if it wasn’t through another side on a shared host or by misuse of a plugin. Be sure to update those too!

    Thread Starter wingedmonkeys

    (@wingedmonkeys)

    16 years ago

    Gangleri, based on the date/time stamp for the creation of the new user account (which was shortly before my site apparently went down), it looks like this happened after I installed 2.5, not before.

    Thread Starter wingedmonkeys

    (@wingedmonkeys)

    16 years ago

    For what it’s worth, the blog is on a shared server and not a private one. If that’s the case, then I imagine that’s something my host should be worried about.

    42skido

    (@42skido)

    15 years, 9 months ago

    I had the same thing happen to one of my blogs. My blog is on a private server. I am digging through the logs now to see if I can find anything. Something is up as others are reporting this happening to them as well. – http://www.idratherbewriting.com/2008/06/22/first-time-site-was-hacked/

    Edit I was running 2.6 not 2.5 when this happened. I had recently upgraded from 2.5 to 2.6

    42skido

    (@42skido)

    15 years, 9 months ago

    Sorry everyone, I just noticed that was a month ago!! I need more coffee before I get all excited. Still do not know what is going on with my blog but the wp_options was corrupt, I got the “your new wordpress blog is ready” email

    jurisnipper

    (@jurisnipper)

    15 years, 5 months ago

    Happened to me twice this last weekend. Both blogs were hosted on the same account. Separate wp_options tables.

    I had one person register as a new admin user. He is a regular, legit, honest, trusted blog reader. As far as I can tell, he went to my blog (AFTER it was down/damaged), saw the log in box, got confused (probably not reading the text) and created his own account. After I fixed the blog, I deleted him as a user/Admin. Thus…I’m 99.9% sure that the new Admin I could see on my blog wasn’t a “hacker” that destroyed my wp_options table.

    If there was a hacker…it must have been someone else. πŸ˜‰

    magix111

    (@magix111)

    15 years, 5 months ago

    This must be a trend or something because my blog has just started doing this today also. I posted a separate question about it earlier. My host is godaddy and I have had problems with the sql before but never this bad. What can be corrupting these tables?

    jurisnipper

    (@jurisnipper)

    15 years, 3 months ago

    One thing that happened in the incident…all my pages were converted into posts. Yes, it sounds weird, but that is what happened. FYI in case someone else gets hit by this.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘WordPress 2.5 hacked – need help to stop hacker from returning’ is closed to new replies.