WordPress NYC Community

Hi all –

My site has been (and is still being) hacked. I am getting ads showing on the site in posts and links (so far) for drugs for impotence. (I won’t repeat here – I don’t want this post to be rejected.

I’m trying to understand exactly how these posts get in there and, more importantly, how to eradicate the problem. Possibly useful information below:

- I immediately changed the password on my admin account to no avail.
- I do not allow subscribers – I set up all the user accounts.
- I want to change the password on my database but I can’t remember what it was (yes, that’s embarrassing to write, but it’s the truth).
- No sign of unusual users in my list of 60 of them (so it’s easy to check).

Is it possible these attacks occurred starting with a subscriber who had a less than stellar browser (e.g. IE6)?

Is there really any way to clean this up without reinstalling a new, clean copy of my installation? I’m afraid that bringing anything along will bring the problem along as well.

Any help would be great!

Thanks in advance,
ed

Hi Steve –

I have not contacted them yet. Are you talking about contacting them about 1) my (embarrassingly) missing database password, 2) questions about the hacking, or 3) something completely different ??

Thanks,
ed

Dr. Ron – Thanks for this link. It’s a good post. This sounds like it’s going to be done this weekend – not during the week.

A couple of comments and questions if you have any answers.

To make sure I understand… this article suggests the hacking is coming from within the Wordpress source files (php, etc.) that I’d need to clean them all out and reinstall. (I have shell access to delete and will use my ISP to reinstall a fresh instance.)

So I can restore the database because at this point, even though the the database may have crap left (although I have searched it) there’s no executable code in the database?

FYI – My hack is visible, as opposed to this writeup and many others where the hack is manifested invisibly (to hurt the SEO ratings).

Are there any other gotchas that I need to worry about, especially with respect to plugins, or if I reinstall the same plugins I should have the same settings?

Thanks,
ed

Thanks Joly

I found Exploit Scanner yesterday and installed it but it gave me a lot of results that I didn’t have time to go through at work. After the refresh, I will install and run it – and then I’ll get a baseline for future runs.

I have just installed Wordpress Firewall – although it feels like closing the barn door after the horse is gone?

How does this sort of attack vector happen? Is it through older browsers used by our users? We are a very small group – but for a subset of the group, technologically deficient, in some cases, users probably are still running IE6. I did get a note saying someone’s email had been hacked – so I wonder if there’s any connection.

Thanks for your help.
ed

I can either fix this or lead you down the correct path. Drop me a note @wpsecurity with your URL, etc.