Wordpress Site Hacked (using membership plugin)...Have some questions

Hey there WPMU guys,

I'm having a hacked with my website affiliatemade.tv

I recently got about thirty to sixty signups in about 3 days (a huge spike from what's norm) and they seemed to be strange (spam) email addresses.

Now, I'm unable to login to my site, when I go to "/wp-login.php" it sends me to "/login" and gives me a 404 redirect when putting in my credentials or clicking the 'forgot password' link. I'm wondering if you know of any vulnerabilities inside of the membership plugin (and/or have seen anything like this before with membership sites).

I'm in no way blaming this plugin, I just don't even know where to go from here and would LOVE some help...this plugin is AWESOME!

I have upgraded wordpress (deleting all files and uploading the latest version's files) deleted all the plugins, expecting that someone may have put a script into one of those and those have not solved my problem. I don't have tim-thumb so I didn't get hacked that way, it looks like it was through my signup page on my membership site or something...

My database files are backed up and I'm fine doing a new wp install, except for the fact that if the hack (or whatever's redirecting me to "/login" and giving me the 404) has been written into a database file, it will go back to how it was upon restoration of my db.

If I don't restore my membership db files, my existing users will be erased.
If you have a suggestion for me, I'm all ears. I just wanted to avoid 10-20 hours of additional work if you can help me out.

Thanks so much!

  • controlyours

    Hey there Barry,

    Here are some strange instances from around the time of the hack:

    222.186.24.27 - - [07/Sep/2011:04:58:30 -0400] "POST /signup/ HTTP/1.0" 200 15257 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0"
    222.186.24.27 - - [07/Sep/2011:04:58:31 -0400] "POST /signup/ HTTP/1.0" 200 14075 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0"
    222.186.26.208 - - [07/Sep/2011:05:52:55 -0400] "POST /signup/ HTTP/1.0" 200 15257 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0"
    222.186.26.208 - - [07/Sep/2011:05:52:57 -0400] "POST /signup/ HTTP/1.0" 200 14075 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0"
    222.186.24.25 - - [07/Sep/2011:06:00:13 -0400] "POST /signup/ HTTP/1.0" 200 15257 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0"
    222.186.24.25 - - [07/Sep/2011:06:00:14 -0400] "POST /signup/ HTTP/1.0" 200 14075 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0"
    117.41.184.8 - - [07/Sep/2011:06:00:39 -0400] "POST /signup/ HTTP/1.0" 200 15257 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0"

    I'm not sure what to do with this knowledge however...
    My /login is not a separate directory, it was a page with a short code for login...but it is now gone.

    Do you think I should start with a fresh install?

  • Barry

    Ok, that is accessing a directory called signup, I assume you haven't created this, or is this the signup page for your membership plugin?

    I would wipe everything and re-install php wise (WP and themes). If you back up the database so you keep your settings. Have a look through the wp_users table and see if you spot anything strange - certainly delete all of the spammy email addresses.

    Once you are back up, then you can look at selectively restoring some tables, such as the membership ones so that you get the settings back again without having to manually rebuild things.

  • controlyours

    Thanks for the help Barry! It was a combination of username/password hack and a deletion of our login page (our functions.php theme was set up to redirect to "/login" and was creating a loop)...which makes since why when we tried a new theme the backend worked great.

    It is now fixed and the vulnerabilities are taken care of:
    Somehow our .htaccess file had '777' permissions as well, this could have been to door that allowed them in, even though this access file wasn't modified.

    Thanks again for helping us think through some things!