2

Possible Duplicate:
My server's been hacked EMERGENCY

Someone was able to hack my Wordpress 3.2.1 installation, get access to the control panel as an admin and temper with the theme's index.php file. He didn't delete any of the site's files or cause more damage (i'm not sure if he was kind or just got limited access).

My question is how do I trace the cause of the issue? all I know is that before the site got hacked, I got an email from wordpress saying that I requested to change the admin password.

Any idea where to start looking?

Thanks, Mashhoor

Community
  • 1
KeyStroke
  • 161
  • 1
  • 4
  • Can users register with your blog? If so, you might want look for a privilege escalation. Are you making use of plugins and themes? If so you might want to look into those as well. – hakre Jul 24 '11 at 11:54
  • No one can register. I do have themes and plugins though. What should I look into? – KeyStroke Jul 24 '11 at 12:03
  • Not answer, but a decent "related" Q/A on WP.se -- http://wordpress.stackexchange.com/questions/19696/verifying-that-i-have-fully-removed-a-wordpress-hack – jscott Jul 24 '11 at 12:17

3 Answers3

4

First place to look is your web logs. Look for 404s , that have weird query strings, that should give you a start.

macarthy
  • 193
  • 2
  • 6
  • Not only 404s but all requests. – hakre Jul 24 '11 at 11:55
  • Look for access to the admin pages from addresses which are not your usual address. Given you got a password change message, I would expect the password change page got called. – BillThor Jul 24 '11 at 18:08
0

My question is how do I trace the cause of the issue? all I know is that before the site got hacked, I got an email from wordpress saying that I requested to change the admin password.

The email message gives you an idea when the hack might have appeared and that the password reset function was part of the exploit.

Where to look? Basically you can start with your server logs. Which requests were done that time? Look for POST and GET requests, some servers log actually the POST data which could be useful to find out more albeit that's not always the case.

Once an attacker gained admin access to your blog, she/he normally can modify all files on a wordpress setup. That's the price to pay for the auto-update implementation in wordpress because most files must be accessible. However in a secure setup, files are write-only. This info might help to understand how a hack can be performed and how to prevent it in the future.

Also look for wordpress updates in the 3.2.x lineup or downgrade to 3.1.4, 3.2.1 is quite new and is not that tested in the wild, especially for exploits.

Another method to track things down is to setup a honeypot install with the same configuration with full logging enabled and notifications so to learn more about attacks happenning. Many attacks are done automated for spamming purposes (or just worms) so you can use the honeypot site to detect such attack patterns. You know the site has been attacked when files have been changed or added.

hakre
  • 156
  • 1
  • 13
0

I know this is after the fact, but try installing the WordPress File Monitor plugin. At least then in the future you'll have an idea of exactly which files were changed and if any were uploaded.

John Hoff
  • 1