This article explains what happened to two of my websites: a successfull hacking sttempt. This is not fun at all, at least for me it isn’t…
I only reaslied it happened this week, so I’m not sure when this went down. Here’s what I know:
Two of my sites (both versions 2.7) were on shared hosting packages. They’re the only two left that are not on my own server, because I thought why rush, it works, why invest a lot of time before the package runs out. Trouble is, the automatic upgrade function doesn’t work on my shared hosting packages – it does on with my own server without problems. Hence, all plugins and WP Cores on all other 10 sites are the newest version, becasue all I have to do is press a button when I see there’s an upgrade available.
So I was lazy with these two sites, and left them as they were, which was version 2.7 (not 2.7.1 as all the others are).
Enter http://www.Cloud-TV.com: this site was setup to automatically post one picture every day, which was uploaded in a queue. Worked well last time I checked – which was a few weeks ago, so I thought I’d better check again. All I got to my surprise now was a white screen with nothing on it.
This got hacked before, when I was on WP 2.6.5 back in December 2008. My hosting company got in touch to tell me about some malicious activity on my account – even the backup had been compromised, so they killed the site. All I remember was 50+ spam comments per day in the run up to this, so I had closed the option for people to comment. Next thing I know, the site is down for good.
Not so this time: I could still login to the site via /wp-admin/, and the backend was working fine. That’s confusing! I switched to the default Kubrik theme, and the site was back online – albeit without ANY of the pictures that had been posted. The posts were still there, but all image files were gone from the server. I checked the relevant directories, only to find the image files had been deleted.
I went onto check the theme files I was using – I had a main and a backup of the same theme (Aerodrome with my own mods to fit the site). They were still there, but all the important files (like index.php, header.php, etc) were EMPTY. Zero bytes in size. So someone must have gained access to my installation, cleared the contents, then saved hit the SAVE button – as well as deleted my image files.
This is possible without knowing the FTP details to my hosting packages, becasue by loggin into WP you can modify those files (if they are writable on the server, which mine were – otherwise I couldn’t have made changes). Things like the image directories are writable by default, otherwise we couldn’t upload pictures.
My other site was slightly different, though the results were fairly similar. The site was still working, but all image files (apart from one Facebook Graphic) had been deleted! An extra directory for images posted in May had been created, although nothing had been put in there… my luck! Some theme graphics had been also deleted, which I luckily had backed up.
They say that if you don’t upgrade to a new version the minute it comes out, hack-bots try their best – especially if your WordPress version number is in the source code (which it is by default). I’ve learnt my lesson: laziness doesn’t pay off.
Upgrade ALL your sites today, and check if they’re still OK. There’s a plugin called Exploit Scanner that can tell you if your WP Core has been fiddled with. Have a look at this article by Irish Blogger and WP Enthusiast Donncha O Caoimh. He wrote that plugin and explains what hackers do:
One last word:
upgrade today! As for file permissions, give everything 744 when you’re done making changes, or once you won’t upload files for that month anymore.