Cleaning up after being hacked (wp 2.5)

  • I searched for my old thread in the forums, but it’s gone…

    Only Apr. 15 several files were added to my wp install (I’m on 2.5); most were in the form ad_xxx.php – like ad_akismet.php in the akismet plugin folder, and several others. Even on in the root of the install.

    I deleted the files; I changed my password (admin and mysql); today I find a file I missed: wp-stats.php in the root of the blog install. Added on the same date as the other files. So, I deleted that.

    However, I saw the post about creating a “secret key” at the top of the forum. Last night, I was looking thru the database (checking for rogue admins, etc) and I noticed an option: secret with a big, long value like the post suggests. But, I didn’t create it AFAIK. And I don’t have it defined in my wp-config.php.

    Now, I’m getting worried that this goes deeper than I had thought. Should I delete it? Or try to add my own? or export all my posts and reinstall from the get-go?

Viewing 3 replies - 1 through 3 (of 3 total)

  • you may want change your passwords and
    reupload all of your admin and include folder files and the main directory files then check file sizes once in a while.

    I remove the install.php and the import filters that i dont use
    however plugins can also cause security problems
    for instance
    Even the WordPress RSS Syndicate Plugin has an option to make a number of user accounts and they can be created automatically which is dangerious.

    someone made a page about hardening wp

    maybe look at
    https://codex.www.ads-software.com/Changing_File_Permissions

    https://codex.www.ads-software.com/Hardening_WordPress

    I have the same field in my options table. It might be that the default field “secret” was created in the database on installation with a generic initial value, and you are looking at that value hashed. Then it follows that you change it to a unique string by making the suggested addition to wp-config. I’m speculating here, we’ll hope a developer or moderator comes along and sets us straight

    Thread Starter nicollb

    (@nicollb)

    I have changed passwords (wordpress and mysql), added the secret_key (before 2.5.1 hit); ferreted out the group of files (ad_*.php and one other) that were sprinkled through my WP file system. I also just upgraded to 2.5.1

    I’d already done almost everything in the Hardening_Wordpress prior to this happening… and my file permissions are pretty tight because my hosting service has php-cgiwrap available, so the web process writes as my files as my username (so I don’t need world writable) — but I think this hack went in through the web so that didn’t really help.

    Of course, I’m curious about the security issue that 2.5.1 fixes – I’m suspicious enough that it bit me, but I wasn’t good enough to figure out how.

    Thanks for the suggestions – I do wish a developer would pass by and offer help on the Secret option (like, should it be there at all?)

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Cleaning up after being hacked (wp 2.5)’ is closed to new replies.