Don’t blame 2.9!
A site was hacked. This was only detected because he had a funny admin screen so decided to do auto upgrade to 2.9 (possibly without backup!). This appeared to cause his plugins to dissappear including the one that protected his content! This may help others, as initial googling did not find direct answers.
Imperatives for any site!
Ability to recreate your site – this means
- keeping clean copies of any premium themes and plugins, as well as a database backup. The wordpress files and free plugins can be re downloaded
- most good hosts will do a daily backup – know how to call on them if you have to – at most you may lose one day of posts or registrations. Worst case you export the possibly hacked DB and files in case you need to carefully extract any updates before they restore the older version of your site!
Ability to detect a problem
- See some notes here http://webdesign.anmari.com/check-if-youve-been-hacked/
Symptoms:
- “funny admin screen” under 2.8.4
- on upgrade to 2.9 – plugins appeared “lost” – invalid header message on upgrade. Maybe 2.9 detecting the bad code?
Upon investigation
WordPress files
- At top wp level, found BAD file: shermie_helsa.php – with eval base 64 code.
- Config file was hacked too
- did spot checks and hold thumbs, seems clean – worry is DB?
- At top wp level, found BAD file: shermie_helsa.php – with eval base 64 code – Deleted it
- Config file was hacked too
Themes
- All top level files of themes hacked too – probably the script just adds itself to all the files.
- Tried to clean up – very badly hacked though – everywhere – looks like bad javascript too!
- Saved BAD themes to a somehackedfiles at top level via godaddy – DO NOT click on or RUN from BROWSER. Delete if you no longer need them.
- Loaded a clean default theme.
- Got clean cutline from http://cutline.tubetorial.com/cutline-3-column-theme-now-available/
- copied over tailored images – edited header.php to use your images – hope that was the only custom change made!
Plugins
- same as themes – hack must run through all such files
- copied to the hacked files
- downloaded new versions
- copied my version of ym – I don’t have yminder locally yet – do you have a clean copy – else download later
- ADDED:
- login lockdown (helps prevent bruteforce hacking into your system)
- wp-db-backup (no backups were available)
WordPress DB
- browsed through the options (apparently some hacks hide there – did not see any thing obviously wrong there….)
Other useful posts:
- http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/
- http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
Related posts:
- Hacked wordpress site? WordPress is now so popular that hackers are targeting wordpress websites. Some sites we look after were hacked by the...
- Website backups A website website owner or administrator needs to understand their responsibilities to protect their site and/or to recreate it in...
- Improve your wordpress web’s security – Prevention Easy improvements for the non-technical: are you displaying your username for all the hackers to see? Go to your wordpress...
- Check if you’ve been hacked A reminder list of ways to check if your site is unintentionally hosting spammers content or links: How many pages...
- Faster please, faster – how to use WordPress as a CMS successfully – by mhansen Tips from conversations at webmaster world, and alter about timthumb vulnerability. ...
