Over the weekend, I spent several hours cleaning up yet another hacker who had infiltrated my server account. I became aware of him only after upgrading a couple of my WordPress installations from 2.5 to 2.5.1, only to find that the version number shown in my dashboard still showed 2.5. I searched the WordPress support forums and didn’t find anything useful for awhile – until I came across a link to this blog entry detailing the symptoms of a known hacker and how to look for and clean up after him. Sure enough, I found the presence of an unwanted text file, as well as a WordPress user who only showed up in the DB (and nowhere else) and an active plugin (that also showed up only in the DB and nowhere else) that pointed to a file in the tmp directory at the root of my server account. I’ve had to go through every database and certain tables to find traces of this guy and purge him out. Most of the WordPress installations on my account are still offline as I work through changing passwords to the DB and user passwords to WordPress and bring each back online one by one. It’s time-consuming and messy.
Interestingly, solving this problem also remedied problems I’ve been having the new WP 2.5 Media Uploader. A couple of weeks back, the uploader suddenly stopped working, asking the user to login again while trying to upload a file and then returning a 404 error and failing on the upload. I thought the problem was with WP 2.5 itself, but now I believe it to be another symptom of this hacker’s presence in my system. I’m happy that things are working better now, but I’m going to be much more vigilant in the future to this sort of tampering. I highly recommend reading the above linked article and checking your own setup for the presence of a hacker.
Sometimes I think hackers deserve their own special corner of the hot place.
6 Comments
I think hackers,spammers, and people who write viruses need shot.
re: Mari – And I think even that might be too merciful. I know what drives these people to do these things, but I don’t think I’ll ever completely understand it.
I don’t get it either. :(
What server are you running?
re: SeismicMike – Apache 2.2.8, PHP 5.2.5, MySQL 5.0.45 on a Linux box. Thing is, though, it’s not a server vulnerability the hacker exploited but a WordPress one. Granted, I’m updated now, so the vulnerability has subsequently been patched, but still – he got in the back door and messed things up a bit. I’m hoping to have the rest of the site back online by this weekend.
Uhm, I don’t know if this is a related issue or something completely different – but I can’t get my passwords to work on any of the protected sites I’m on or to get to the admin section of mandm . . . and I’m pretty sure I’m typing them correctly. I haven’t said anything b/c I know the whole ordeal with the hacker is stressful and time consuming, but it’s been a while so I thought I’d let you know.