Working Now?

Apparently, my website was hacked a while ago (I suspected it previously, but couldn’t find any proof or evidence) and it reared its ugly head this morning in the form of text spam injected into my RSS feed.  Thanks to Lance and Face, who both emailed me about the problem.

After a few hours of hunting for the problem looking through MySQL entries, users, comments, and file permissions, I found an old plugin that had a file that was 2 years newer than all of the other files in the directory and the directory itself.  On top of it being newer, the payload of the php in the file was encrypted.  Encrypted php?  Really?  That’s possible?

After a few WordPress-hardening changes (recommended here and here); nuke the admin account, verify the permissions on files and directories, remove stray _rss_* entries in the wp_options table of my database, rename the wp_* tables of my database to a non-standard name, remove all non-necesary Plugins and Themes, and install WP Security Scan to hunt down vulnerabilities; I think that my site is fixed.

If anyone sees anything fishy coming out of the site from hence forth, please feel free to contact me!  My website maintainence email is webmaster [at] geoffkerr [dot] com.

Tags: , , ,


Comments are closed.