Hacked by Sn!PeR-BaGhDad – Some Info

  • I had several WordPress sites hacked by the script kiddie calling himself Sn!PeR-BaGhDad.

    After doing some searches I found that there are thousands of WP sites that have been hacked by this script kiddie. I have recovered my sites, but I would like to share some information that might lead help us identify how the sites are being compromised.

    This script kiddie defaces the front page of WP with a message which includes his email address [email protected] so you can find out “What A Hell We Doing HeR”…

    On my sites, the script kiddie also changed the admin login information. On each of the sites the admin login name was changed to admin1 and a new password was set.

    After checking my FTP and cPanel logs I have verified that FTP and cCpanel were NOT compromised. Each site had a different secure FTP password so I figured this was unlikely anyway.

    It might be possible that all the WP passwords were brute forced, but this is probably unlikely also because each site had a different password and they were selected as strong passwords.

    As for plugins and themes, well two of the sites were brand new fresh WP installs of version 2.9.2 (latest version at this time) and had NO plugins or themes installed, no posts or anything changed from the default install.

    This leads me to believe that code could have been injected through a vulnerability in the default WordPress installation.

    I am interested in learning how my sites and other sites affected by this script kiddie were compromised. If anyone has further information about this script kiddie please post here.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Did you contact your host to inform them and find out if anyone else had their site hacked from the same server (if you’re on a shared server)?

    Thread Starter ProfitProphet

    (@profitprophet)

    Yes, I did. I am on a shared server, but they said there was not any evidence of other sites on the server being hacked. My host seemed to think it was an exploit from a plugin or theme I was using, but that does not explain the fresh installs being hacked which had no themes or plugins other than the default 2.9.2 installs.

    Most of the sites that I have on my unlimited account with “JustHost” were also hacked last night. The thing that gets me is a couple were spared, but some of those affected included Joomla sites. It seems to be quite a random attack.

    Is there no solution to this as yet? From the age of previous posts, it looks like this isn’t a new thing. Several friends have their websites on my account and I’d really like to be able to restore things to as they were previously. Any thoughts?

    Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Hacked by Sn!PeR-BaGhDad – Some Info’ is closed to new replies.

Tags