Over the weekend, I spent several hours cleaning up yet another hacker who had infiltrated my server account.  I became aware of him only after upgrading a couple of my WordPress installations from 2.5 to 2.5.1, only to find that the version number shown in my dashboard still showed 2.5.  I searched the WordPress support forums and didn’t find anything useful for awhile – until I came across a link to this blog entry detailing the symptoms of a known hacker and how to look for and clean up after him.  Sure enough, I found the presence of an unwanted text file, as well as a WordPress user who only showed up in the DB (and nowhere else) and an active plugin (that also showed up only in the DB and nowhere else) that pointed to a file in the tmp directory at the root of my server account.  I’ve had to go through every database and certain tables to find traces of this guy and purge him out.  Most of the WordPress installations on my account are still offline as I work through changing passwords to the DB and user passwords to WordPress and bring each back online one by one.  It’s time-consuming and messy. 

Interestingly, solving this problem also remedied problems I’ve been having the new WP 2.5 Media Uploader.  A couple of weeks back, the uploader suddenly stopped working, asking the user to login again while trying to upload a file and then returning a 404 error and failing on the upload.  I thought the problem was with WP 2.5 itself, but now I believe it to be another symptom of this hacker’s presence in my system.  I’m happy that things are working better now, but I’m going to be much more vigilant in the future to this sort of tampering.  I highly recommend reading the above linked article and checking your own setup for the presence of a hacker.

Sometimes I think hackers deserve their own special corner of the hot place.

People like this ought to be given a taste of their own medicine.  (Source: Boing Boing)

So, apparently my blog underwent a minor attack last night.  I woke up this morning to an email saying that my new blog had been set up at shamuswrites.com.  Now this sent a slight cold chill down my back, since I clearly already have a blog here.  The email gave the typical administrative username, but what really made my blood run cold was the next part that read, “Password: Inherited.” I checked the site, and sure enough, what I saw was the initial setup screen that asks for the name of your new blog and an email address for the administrator.  Not good.  Not good at all.

My next step, then, was to log in to phpMyAdmin and double-check the database for my blog.  All the tables were present and accounted for, and the sizes looked about like they should for 4.5 years of blogging.  So, I backed up the database real quick and then repaired all tables (since I’ve had problems with a table breaking in the past and messing up my blog).  After that, everything came back to working order again, which is a huge relief.

My theory is that someone tried to access the install.php file, probably by a roundabout means, in an attempt to either access my site or corrupt it irreparably.  The attempt clearly failed, but it did nearly cause me a minor heart attack.  I’ve since deleted both the install.php and upgrade.php files, just to prevent this sort of thing from happening again.  In theory, not deleting them shouldn’t cause any harm, since accessing them after an install or an upgrade generally only returns a message saying you’ve already done that, but I also wouldn’t be at all surprised if hackers have found ways to exploit those files for their own amusement.  I’ll likely make a point of backing up all my DBs on a more regular basis now (especially since SSH makes it so darn fast and easy to do), just to make sure that if I do get hacked at some point in the future, it will be an easy task to return things to a general state of order again.