So I know you have all heard about older WordPress installations being hacked recently. If you have not already updated your blog to the latest and greatest WordPress version take the time to do it now.
Do not be foolish and put it off like I did! That’s right boys and girls, my very own blog was hacked and it was a very slick method I might add.
I will show you how I figured out that I was hacked and how I fixed it.
First off I was notified that AskTheAdmin’s account was suspended for a malicious script living in a directory on my hosted server. My hosting company told me that two malicious scripts were found on my server which were:
I knew at this point I had a hacked WordPress blog. And I had just read about the exploits of older WordPress versions. I thought I was going to be seeing changed permalinks but they did not do that to me at all. They found another way to get me!
I immediately logged into my account via ftp and deleted the scripts. Then I logged into WordPress and took a look at the users module.
What the hell? All of a sudden, instead of 2 administrators, I now had 3. And for some fricking reason the only two administrators that were showing up on my control panel were all legit. So they not only added a administrator to my WordPress installation but they also managed to hide it from unsuspecting eyes.
So now I did a little Google Fu (like kung fu but not as martial artsy). I discovered that the user names would still be on the page but hidden. So I did a right click on the page and clicked on View Source:
Once I viewed the page source I searched the text for my other administrator’s name – Michael. Then I thought it would be better to search for the word Adminstrator – This brought me to the correct section in the html code. I now see the culprit:
So that brought me to first my account, then Michael’s account and finally the LewisLawson63 account. This was added without my knowledge and hidden from my eyes by a script that hacked my WordPress blog. Damn hackers!! But on the same line as the self proclaimed administrator is their account’s edit link. This is what you need to hit.
All I did was paste the link from the HTML source code after my wp-admin/ in my address bar. So it would sayand then another / and the link. This will take you right to the users edit page:
Do you see where First name is? Well that script was like 10 lines long in there”¦ Being all exploitive. I removed that code and replaced it with a new username for them. Next I made their role a subscriber.
Now guess what they show up in my list and I can delete them! Next let’s turn off allowing users to allow themselves to be registered under settings in your WP control panel like so:
I then went and grabbed backups of my website. (Well actually I ran MySQL queries to see what else had been altered and I looked for inserted iFrames into my posts) It turns out they touched EVERY SINGLE POST! Damn Damn Damn! I am so glad I have daily backups.
I restored my site from 3 days ago (when it happened) I lost a few posts but the damage was gone. If you are not as lucky to have a backup your content is all suspect! They might be showing your readers ads or worse! So be weary and don’t take any more chances! Next time you see this:
Listen and update!
Do you have a WordPress horror story to share with us? Another removal or detection method? Share them with us in the comments!