Hacked - I guess...

Not sure if there is any use posting this but any comfort helps in this dark hour LOL

Woke up at 5am feeling something is wrong with my site and sure enough it was when I checked...

I can't log in into my WPMU/Buddypress site anymore because my pw is no longer valid and I can't get my pw reset because my email is no longer valid. Also the default theme displays again - I was using Blogs.mu before.

It seems like someone has changed my admin details...

I have contacted my host already (just yesterday I upgraded from shared to VPS and was planning to move the site today - crappy timing!)

right now I am scanning my computer with ClamXAV (using a Mac for my FTP needs)

I am trying to stay calm as suggested here: http://codex.wordpress.org/FAQ_My_site_was_hacked but I am freaking out deep inside, I have launched this community a few weeks ago after building on it for 9 months and have started to receive a few members that now look at a broken site :slight_frown:

I have no real backup (wanted to change my sloppy backup habits after moving to the VPS - did I menting crappy timing?)

All I can do now is wait for my Host to respond to my ticket and check how bad the site is compromised or what else can I do now?

  • Toni
    • The Incredible Code Injector

    back out again...

    really messed up!

    now I see a hacked by saudi arabian hackers template which includes an email and support ID of some sort (comes with music too - quite fancy)...

    I guess they want me to pay a fee to unhack my site?

    I attached a screenshot of my misfortune maybe someone will get a laugh out of it - me I can't currently, perhaps when it's all back to normal (if ever)!

  • Jonathan
    • The Incredible Code Injector

    @Toni,

    If they managed to change your admin password, Bet you $ you can't trust anything on your server. This is the only time I would suggest, find somebody who knows this sort of stuff, and pay him good money to clean, and secure your site - before you move it over to vps.

    I know, it sucks to pay someone for this, but this is a specialized skill, and you will get what you pay for - top $ will ensure you salvage everything that you can.

    Then, find out how to avoid this on your vps - you aren't going to like the answers, they are a pain, but you learn to live with them :slight_smile:

    Jonathan

  • Jonathan
    • The Incredible Code Injector

    non-profit - ouch!

    Okay DIY - below are two posts, read them, read all the related posts, and google everything to find more info - you can do it yourself, it just takes a lot of time to find the info, hence pay someone. I've paid anything from $50 - $500+ per hour(standard consultant fees) I pay my lawyer, account, doctor the same set of fees (dollars are a guess - I live in 3rd world country, so am converting).

    http://ottopress.com/2009/hacked-wordpress-backdoors/
    http://ottopress.com/2011/scanning-for-malicious-code-is-pointless/

    Have a look at this as well for later,
    http://codex.wordpress.org/Hardening_WordPress

    I'm sure there are clever people hanging around here, hoping they can offer some advice...

    Jonathan

  • Toni
    • The Incredible Code Injector

    Yeah ouch indeed,

    Thanks a lot for your help Jonathan :slight_smile:

    I will try to learn as much as I can as soon as the site is back up (fingers crossed)

    Hey if that skill is worth $50-$500 an hour I should quit my domaining job and learn this properly instead :smiley:

  • beturgo
    • Flash Drive

    Most hacks fall into 3 categories: lowest common denominator, po-ed (former) employee, competitors/enemies.

    Unless your non profit has some how made a Saudi hacker for an enemy this was probably a lowest common denominator hack. Call everything on the shared server a loss and start out the right way on the VPS.

    change the database name to something other than wordpress
    change the table prefix to something other than wp_
    don't create and account with the name admin
    delete wp-admin/install.php
    move wp-config.php into a non web accessible folder (http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php)
    password protect the wp-admin directory
    set up automatic backups

    There is a lot more to do aside from this so as Jonathan said do lots of reading.

    Good luck

  • Jonathan
    • The Incredible Code Injector

    Yeah,

    Server maintenance and security is a specialized skill, no doubts about it. I know lots of people say they can, but like anything in life. You got those who really can... and they charge top $ for it.

    All the best,
    I'm sure once on your vps you're going to have easy sailing - by learning some valuable lessons now. We all had to go through something in order to change something :slight_smile:

    Enjoy the education, learn the lesson... :slight_smile:
    Jonathan

    @beturgo,

    Excellent to do list :wink:

  • Toni
    • The Incredible Code Injector

    Thanks again guys :slight_smile:

    I appreciated your help very much!

    My host had too delete all files now (too much malware), as well some other sites of mine in the account were affected (as predicted earlier)... don't ask me how I feel!

    I will start rebuilding tomorrow following your advice and doing further reading..

    I will keep my VPS clean - none of the sites in my shared account will make it to the VPS unless I rebuild them!!

  • Mason
    • DEV MAN’s Sidekick

    Ugh. This is so scary and painful. Sorry for your trouble.

    Jonathan's linked to some great resources. Being informed and setting sites up securely from the beginning is the best defense against this kinda thing. Would be interesting to find how they got in.

  • Toni
    • The Incredible Code Injector

    Thanks guys. It's great to have a host that doesn't let you down and many WP experts here at WPMU DEV that are willing to help :slight_smile:

    I will update later with what could have been the issue, still rebuilding my sites (I learned A LOT in the last 3 days)...

    I need some help with this (see screenshot):

    I have deleted this hack code as soon as I found it BUT it's still available in revisions...

    Do I need to worry about it?

    Can this potentially be harmful again if it still shows under revisions?

    Can content in my old database be potentially harmful too?

    Just worried they might launch a second attack!

  • Jonathan
    • The Incredible Code Injector

    @Toni,

    These guys have gone all out :slight_frown:

    I'm afraid your hack is beyond my skill set. but I can explain how to wipe all revisions...

    To delete and remove all existing post revisions entries and rows from WordPress database Posts table, simply login to MySQL command-line interface, phpMyAdmin, SQLyog or other MySQL GUI tools. Select the appropriate WordPress database (if you have more than one databases on the same server), and then issue the following command (it’s usually recommended to backup the database before performing the deletion SQL statements, but in your case, I wouldn't recommend it)

    DELETE FROM wp_posts WHERE post_type = "revision";

    Your question: Can it, the old database and revisions be harmful.

    Simple answer - yes, its all harmful, because you don't know for sure it isn't. So everything must be treated like a threat.

    You need to take your site offline! You need to find where they are getting in. You need to shut them out before you can salvage anything...

    You haven't got a backup? Do you have the last nine months worth of work you put in stored somewhere?

    Without a backup it's going to be hard... you're going to have to Review your Database. table by table, row by row.
    I would set up a wamp install on my local pc (at home) and install a fresh wordpress, import your database etc. I wouldn't have my pc connected to the internet. I would start cleaning the database... etc etc. To salvage the info.
    You'll want to review your options table and your posts table especially — looking for any strange external references or content. If you've never looked at your database before, be warned. It's not fun — but it's a must
    Again, I'm afraid your hack is beyond my skill set... hoping some smart people offer some assistance here...

    Jonathan

  • foodfriendfinder
    • The Incredible Code Injector

    Toni ...check this site out http://www.spamtrawler.net/portal/content/ ..I believe you can block countries with their API and other features ...I will be using it but waiting until package is ready to be installed on my dedicated server.( in the next month or so) but they do have single site security.
    Looking at the prices it looks reasonable but you can give them a shout.
    I know the company for a year from phpfox.com forums that I also have software and he is committed to site security.
    Probably other companies too but this is the only One I have had contact with...Maybe other members have other contacts too.
    Good luck

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.