Support » Fixing WordPress » WP 2.0.4 hacked: Someone changed my username and password

  • My old blog about Rio de Janeiro got hacked last night. It’s based on WP 2.0.4

    I woke up to an email announcing “Password Lost and Changed for user: admin”

    I tried to login to see what was going on, but I couldn’t. I tried to get it to send me a new password, but it didn’t recognize my email address. I had to login to my mysql database to figure it out.

    It turns out that someone had changed the email to croconile@inbox.com and had logged in and made about 6 posts announcing that croconile had hacked the blog and denouncing the pope and Israel.

    What I want to know is how someone could have changed the admin’s email address? Did they hack into my mysql database too?

    Anyway, I managed to change the email address and get back in and back everything up, but still, how did this happen? Any ideas?

Viewing 15 replies - 1 through 15 (of 28 total)
  • Do you have any other scripts that have access to that same database? I ask because we aren’t aware of any security issues with that version of WordPress (or at least I’m not).

    I’m thinking they either guessed your password or hacked a different script on your site which gave them access to your database where they could then change the password and/or e-mail on your account.

    UPDATE:

    After doing a little research on Croconile, I’ve gathered that he’s probably Egyptian (the croconile is the Egyptian soccer team mascot). He hates Israel and the Pope.

    He’s also fairly benign and explained himself on a phpBB forum that he hacked.

    Here’s what he said:

    I didn’t do any damage.
    And i didn’t know what your password is.

    I simply hacked one of the sites on the hosting company (you are part of) it used “photokorn 1.52” thats how i got in ,i read the /var/cpanel/accounting.log and got to your site ,i saw the config.php ,connected to the database ,changed the user/pass ,then changed the site name/description.

    that’s all my friend 😀 peace 🙂

    So, I think my issue is with my hosting company. In which case, all is probably well in WP land. I just wish there were a better way to protect the wp-config file.

    Wow – thanks for the followup! Definitely want to share that with your host too 🙂

    You can try adding this to the .htaccess file in the root directory of the WP install:
    <Files "wp-config.php">
    Order Deny,Allow
    Deny from all
    </Files>

    But that won’t do anything if someone has/got shell access.

    Sounds like it’s time for you to find a better host — one that doesn’t have such crappy server configurations.

    Thanks Yosemite, I’ll fix my .htaccess

    I talked to my host (IX Webhosting – don’t use them, they’re morons) and they think that the cracker used a MYSQL injection attack. They were at a loss as to how to fix it and blamed WordPress and phpBB (my friend’s phpBB also got hacked) for the vulnerability. So, we’re playing the blame game. I’m going to switch hosts, but I’m not confident that it will solve this vulnerability.

    I’m no pro, but it seems clear to me that the wp-config.php is one of a few weak links here. I don’t know if anyone who knows more about this can do anything about that.

    Here’s to hoping that “given enough eyeballs, all bugs are shallow.”

    I too am no security expert, but putting the fault onto WordPress seems absurd given the hacker had the MASTER password to your hosting account. He could change anything independently of wordpress. To use an analogy, it would be like a thief having keys to your house and you blaming the jewellery box company for the loss of all your valuables.

    clarke1866,

    I can’t be sure that he had the master password to the account. There’s no evidence of that whatsoever.

    What there is evidence of, is that he cracked the mySQL database. That is, he got the login info for the database.

    It’s likely that he got the information from wp-config.php

    Again, I’m no expert, but these are my initial thoughts.

    A) My hosting company should be able to protect files like wp-config.php from prying eyes.

    B) WordPress should do a better job of hiding wp-config.php. If I remember correctly, I was able to delete Movable Type’s config file after installation (then again, installing MT was a nightmare).

    Let me say one more thing, I’m not blaming anyone for anything, so I hope no one feels obligated to defend WordPress. I’m here to present a problem with the hopes that the WP community can help find a solution.

    It *should* be possible to place wp-config.php outside your publicly-accessible-by-browser area, by changing the path to wp-config.php in wp-blog-header.php.

    I haven’t tried it myself, though I hope to have time to mess with it some in the next few days. I have other scripts which work this way, where the config info resides in, say, an includes folder above the domain root.

    HEY

    I just read the wp-config.php “using a PHPshell” connected to the database changed the e-mail and logged in 😀

    And i hate israel and every jerk insulting islam.

    So croconile, are you admitting that you hacked into others’ wp-installs?

    Hmmm.

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    PHPShell is a way to run shell commands via a webpage. So I’m assuming he got access to the host via some other insecurity and used PHPShell to read files and such. From there it’s easy.

    Unfortunately, there’s no solution to this sort of thing. Anybody able to read your wp-config.php will have total access to your stuff. This is not easily preventable, really. In theory you could remove priviledges from key portions of the database by having an admin user, and then have the actual WordPress user account only have read access or something. But it would be problematic at best. Still, might be worth looking into.

    Well, it’s just another reason to be sure to keep good backups. No point in worrying about it – people are what they are….

    thegentle

    (@thegentle)

    Hold on…”No point in worrying about it?”

    I’m being hacked. My data is vulnerable. I’m imagining it’s my host’s fault for letting someone get in and use PHPshell, but still.

    I’ve always been a little nervous about the wp-config.php holding such valuable information. Now my nervousness has been validated.

    I admit, I’m still something of a novice, but can anyone assuage my fears here? Is there not a better solution?

    Also, is there any danger in making my .htaccess world writable? Or is there another thread for that?

    vkaryl

    (@vkaryl)

    Your wp-config.php file is NOT readable in a browser. Just try it. Input in a browser address bar the exact address to your wp-config.php file.

    There is a danger ANY TIME you make ANY FILE world writeable.

    My point as to “worrying” or not is that there’s practically nothing you CAN do about someone who’s using a cracker program – there’s nowhere you can put something to keep such a person from accessing it.

    Ergo, there’s no point in worrying about it, because there’s little practical that you can do about people who hate and act on that hate.

Viewing 15 replies - 1 through 15 (of 28 total)
  • The topic ‘WP 2.0.4 hacked: Someone changed my username and password’ is closed to new replies.