[Ed Altman]

Hi all –

My site has been (and is still being) hacked. I am getting ads showing on the site in posts and links (so far) for drugs for impotence. (I won’t repeat here – I don’t want this post to be rejected.

I’m trying to understand exactly how these posts get in there and, more importantly, how to eradicate the problem. Possibly useful information below:

– I immediately changed the password on my admin account to no avail.
– I do not allow subscribers – I set up all the user accounts.
– I want to change the password on my database but I can’t remember what it was (yes, that’s embarrassing to write, but it’s the truth).
– No sign of unusual users in my list of 60 of them (so it’s easy to check).

Is it possible these attacks occurred starting with a subscriber who had a less than stellar browser (e.g. IE6)?

Is there really any way to clean this up without reinstalling a new, clean copy of my installation? I’m afraid that bringing anything along will bring the problem along as well.

Any help would be great!

Thanks in advance,
ed

[Steve]

Ed– have you contacted your host? They may be able to help.

[Ed Altman]

Hi Steve –

I have not contacted them yet. Are you talking about contacting them about 1) my (embarrassingly) missing database password, 2) questions about the hacking, or 3) something completely different ??

Thanks,
ed

[Dr Ron Suarez]

This worked for me in 2009 – How To Completely Clean Your Hacked WordPress Installation | Smackdown! http://bit.ly/qG5wsf

[Ed Altman]

Dr. Ron – Thanks for this link. It’s a good post. This sounds like it’s going to be done this weekend – not during the week.

A couple of comments and questions if you have any answers.

To make sure I understand… this article suggests the hacking is coming from within the WordPress source files (php, etc.) that I’d need to clean them all out and reinstall. (I have shell access to delete and will use my ISP to reinstall a fresh instance.)

So I can restore the database because at this point, even though the the database may have crap left (although I have searched it) there’s no executable code in the database?

FYI – My hack is visible, as opposed to this writeup and many others where the hack is manifested invisibly (to hurt the SEO ratings).

Are there any other gotchas that I need to worry about, especially with respect to plugins, or if I reinstall the same plugins I should have the same settings?

Thanks,
ed

[Joly MacFie]

There is a plugin called ‘exploit scanner’ which will pick up anything suspicious in your core files, but not if it’s in your sql.

After hearing Steve mention it I have installed WordPress Firewall and I do periodically see it blocking what appear to be sql-injection attacks.

This is why it’s a good idea to run an auto back up plugin like ‘DBC Backup’

j

[Ed Altman]

Thanks Joly

I found Exploit Scanner yesterday and installed it but it gave me a lot of results that I didn’t have time to go through at work. After the refresh, I will install and run it – and then I’ll get a baseline for future runs.

I have just installed WordPress Firewall – although it feels like closing the barn door after the horse is gone? 🙂

How does this sort of attack vector happen? Is it through older browsers used by our users? We are a very small group – but for a subset of the group, technologically deficient, in some cases, users probably are still running IE6. I did get a note saying someone’s email had been hacked – so I wonder if there’s any connection.

Thanks for your help.
ed

[Dr Ron Suarez]

One of the reasons we see upgrades to WordPress is because hackers discover vulnerabilities in the code and patches get created to fix the vulnerability. If you don’t upgrade your WordPress installation fast enough then you become a victim.

[D.K. Smith]

I can either fix this or lead you down the correct path. Drop me a note @wpsecurity with your URL, etc.

[James P]

I found the steps in here: http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php to be effective. It’s a little less work than the previously linked solution.

Also, please note google will have to re-crawl your site after you’ve removed the exploit for the ads to go away in the search results.

[Author]

Posts