Hacked by Tariq SQL

The owner called me at 8:39 this morning, “My site’s been hacked.”

I was surprised.

I mean, it’s a WordPress-powered site, after all. And I try to run a tight ship security-wise.

So I had a look:

Not a good sight!

Next I viewed the code for the hacked page. Surprisingly, I saw no indicators of this being a hack of the WordPress code. Rather, it just looked like that code had been utterly cleaned out and replaced:

A peek at the hacker’s code: no WordPress stuff!

Strange. Weird, actually. (That’s in addition to surprising, of course.)

Well, first things first: Get something better showing up on the home page than the hacker’s mocking, foul message.

So I uploaded the latest static HTML home page (from the pre-WordPress days). Then I uploaded a version of .htaccess without the special WordPress section.

temporary replacement index and htaccess files

Two temporary replacement files, uploaded via FTP

That took care of that. Good!

Now, before tinkering with WordPress stuff, it was time to get a fresh back-up copy of the WordPress database. Sure, it would be corrupted, but if I really messed something up, I could at least restore that portion of the site and try again. 🙂

Executing and downloading a database backup

Good. Finally I was ready to go rooting around in the database itself. I launched the site’s cPanel in order to get at phpMyAdmin so I could browse through the sql database:

Now to nose around inside the database…

I made sure the hacker hadn’t added himself as a blog administrator.

Nope. Neither had she “adjusted” my profile to make it her own.

I also searched for Tariq to certify that name was nowhere in there. Clean.

I simply saw nothing out of line.

So I got out of there and decided to try logging into the site’s WordPress administrative section. My password no longer worked. 😯

Thankfully, I was able to reset that via WordPress instead of resorting to the more-cumbersome phpMyAdmin route.

Again, I checked to be sure no intruding users had been added.

To keep an already-long story from getting too long, I’ll just outline the main points of what I did next:

Updated WordPress installation. I missed doing that after the last WP release. 😳
Updated all plugins and themes.
Installed and ran the WordPress Exploit Scanner plugin.
Checked (via FTP) the folder of the current WordPress theme and noticed right away that page.php had been replaced late last night. I looked at its code and, sure enough, it was Tariq’s handiwork. I uploaded a fresh, clean, original copy.

And that, folks, took care of the problem.

But how in the world did that character burrow his way to that level and replace that file with his own? ?:

I don’t know. 🙁

I have my suspicions, but I don’t want to state them here. 😮

I’ll just say this:

Be careful of what sites you go to. And what sites you post comments on. And what kind of backlinks you provide at such sites.

Furthermore, keep dependable and up-to-date security and firewall applications on your computer. Have them doing their thing in real-time. And also do thorough weekly scans of your machine.

In closing, these links should be helpful in the event your WordPress site is hacked:

http://codex.wordpress.org/FAQ_My_site_was_hacked

http://wordpress.org/support/topic/268083#post-1065779

http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

http://ottopress.com/2009/hacked-wordpress-backdoors/

http://www.jtpratt.com/how-to-fix-a-hacked-wordpress-blog/

http://codex.wordpress.org/Hardening_WordPress

Now go do the right thing.