2.2 Hacked

I did a google search for my domain and ‘hacked’ yesterday and found myself on a list.

I don’t really know what they think attacking the site of a dog walker is going to accomplish.

It’s so annoying that I can’t see how they’re doing it though. I really thought I had everything locked down yesterday =/

judging by the log you sent me — theyre just logging in, and once logged in have the proper permissions.

You said you created a new database? Do you have any users registered since that new db went live??

They also made posts — who was the author of the posts? You?? or someone else?

It’s an old db from before all the hackings started happening but I had created a new user and password after the second time they hacked me, to try stop them getting into it. I’m going to change my database username and password again now I think.

I only ever have one wp user (myself) in the db and there are never others as I don’t even have registration set up.

When it happens, they seem to have added a new user to my db and deleted me, so i can’t log in any more. I have to go into phpmyadmin, drop the tables, import my old db again, go log into wp and change the wp password, then save the db again for backup with the new password… or I lose track of the password changes!

I just can’t see how they could access my db to add themselves as a wp user, it’s like there’s a piece of the puzzle missing.

The last hack was posts of their mess and not my entire theme changed — because I turned all of my theme’s file permission 644 so no more theme editor for them to use when they logged in

I just can’t see how they could access my db to add themselves as a wp user, it’s like there’s a piece of the puzzle missing.

There’s a difference between the WordPress user/password and the database user/password. Which have you been changing?

If you have not been actually changing the database user/password and editing wp-config.php to match, then they may have that information and can thus get in whenever they like.

The database password is not something you can change within WordPress itself. You need phpMyAdmin to do that sort of thing, or your hosts tools. cpanel, maybe.

Otto42, I change the wordpress password every time it happens but I changed the database username and password in mysql maintenance after the second time I was hacked. I’ve just changed it again too =)

There is also the possibility that they have access to some other site on your shared server and are able to read your wp-config.php file even despite your changes. If this is the case, not much can help you except to move to another server or get a dedicated server or get another host or something. You can try setting your wp-config.php file to lower permissions as well.

Try these permissions on the wp-config.php file: 400, 440, 444. Use the lowest number that allows the website to continue to function. If you find that you have to use 444, then you may not be secure on that server regardless of what you do.

Another trick I like to use from time to time: If these are truly idiot script kiddies, then they could be fooled by simple obfucation…

You could run this script on your server somewhere:

<?php
echo convert_uuencode('newpassword');
?>

to get an encoded version of your password. Then change wp-config.php to look like this:
define('DB_PASSWORD', convert_uudecode('ENCODEDTEXTHERE'));

Okay, so that’s easily defeated by anybody with a clue, but it sometimes stops kiddies. You can do the same with base64_encode and base64_decode instead, if you like.

Thanks Otto42, I’ve changed the config files on both of my sites to 444 which was the lowest it would work at and I’ll see if I get through my first none hacked night since it started =)

Your other suggestion looks fun and sneaky to try though lol

They got me again, same thing, changed the admin password in my database and then logged in to wp and posted their mess.

My config was 444, now I’m so confused =(

Like I said above:
If you find that you have to use 444, then you may not be secure on that server regardless of what you do.

444 is *not* secure. That means it’s world readable, anybody else on your shared server can read the wp-config.php file.

I would complain to your host or get a new host.

Yeah, I’ve been trying to get a response from them since Friday and nothing… I think they probably have an influx of angry customers

Thanks for the help Otto42 =)

With WP 2.2.1 on Bluehost.com, chmod 0400 wp-config.php seems to be working OK. I haven’t tested it extensively, but the site runs fine so far.

I can’t remember where I read it now, it *was* an SQL site, but the issue of wp-config.php was raised as being a security issue as it’s normally 644 and on the website. There was a workaround – damn where was that link? – to place the MySQL database password outside of the web branch and still get it to work. The point of the article was there are security issues with the SQL pass being on the website aside from any shared hosting environment issues.

wp-config.php has always given me the willies regarding SQL access.
Much happier that chmod 0400 seems to be OK with this critical file.

Sorry it took so long for me to update =)

I left my host and got a new one. I think they screwed up big! I’m not sure how people got into my blog – I can only assume it did have something to do with people getting my password from the config – but like I say, that’s just an assumption.

Anyway,

Thanks for the help you all gave. When things go badly wrong, it’s nice to know that there are people willing to help

x

Ummm – I am having a completely different problem. Last night/this morning – I suddenly found my blog with a new screen that showed the Welcome screen for the site.

I tried the install/upgrade path – it complained about a lot of tables missing – and then said it was done. Then, it started to have me go through the setup path all over again.

I deleted all of the files as instructed, and reinstalled the new code. Now I can not recover my site – the database was already blown.

Any idea what happened?

https://www.abigailsxratedteendiary.com

And – FYI – this started around 9am this morning…

sdickert: Please don’t bring up months and months old posts with different problems. Start your own thread instead.