Hacked…
June 24th, 2005 at 02:05pm
This blog was hacked by some soul(s) yesterday night! (around 3.30 AM IST), while i was in deep sleep. The blog home page was defaced. But the contents were kind of intact.
Was able to restore most of the things in less than 10 mins. But only after i was woken up in the morning at around 7.30 AM!
Ok. Now coming to how it happened…
One thing for sure… it was my mistake. I had given some stupid permissions on some folders on my site for some test purpose. I had forgot to remove those permissions. I am still not sure if its a security issue with WordPress. Have posted on WP forums about the problem.
Atleast 2 IPs were involved in the hack. They managed to create new wp users, gain admin access to WordPress, and then enabled file uploads in WordPress. Once that was done, they uploaded files (php based file managers, database access etc etc), which would enable them look on to the filesystem, database, and do more stuff.
They played around a bit, but luckily, they didn’t cause any damage. I am almost done with the cleanup now.
Will post more if something new turns up!
Update : 1 Mostly looks like its got to do with the security issue in WP 1.5.1.1 which was patched in v1.5.1.2. So, upgrade your WP setup if you havent done it so far ASAP!!.
Update : 2 I have installed some new set of plugins to increase security. Contact me if you are facing any problem acessing the site.
Update : 3 Found exactly how they broke in…. If you are intrested, let me know. Will share the details. The hack won’t work in 1.5.1.2.
Tags: blog, hacked, hacking, website
Entry Filed under: Net
18 Comments Add your own
1. Gry | June 24th, 2005 at 5:40 pm
For hackers, that wasn’t too bad.. I mean - could’ve been worse!
2. JD | June 24th, 2005 at 6:36 pm
Wow!
That’s interesting.
Could you give more details? What exactly did they do? Did they modify your index.php files or did they do something else?
Actually even if they hack WP, how could they get access to file system? I guess that should be able to access only MySQL database and nothing more.
JD
3. Arjun | June 24th, 2005 at 6:54 pm
Hi JD! Have sent you a detailed mail on this!
4. Alejandro | June 25th, 2005 at 12:01 am
Hello,
My name is Alejandro, and I am from Brazil. I started using WordPress not so long ago for my job purposes. I read your post on support forum and decided to visit your page. Now I am worried about my site too. Would you please email me the details and how I can secure from hacks, is the 1.5.1.2 version secure??
How can this happen to the site??
my email is ak74bazooka@yahoo.com
I will be grateful for help
Sincerely
Alejandro
5. sathya | June 25th, 2005 at 12:35 am
hi arjun,
sympathies… and hey job well done about quick recovery etc…
hey what did they deface da?
sathya
6. Arjun | June 25th, 2005 at 11:28 am
Alejandro : Yes 1.5.1.2 is secure. You should upgrade to it at the earliest. If you need more security contact me.Will tell you how.
sathya : they put an index.html page (the link given above in my post) on my blog homepage. So, when someone accessed my blog at http://www.arjunprabhu.com/blog/ it would load the index.html page instead of the index.php page. If you need more info let me konw!
7. Rj | June 25th, 2005 at 6:49 pm
Hey Arjun,
I had a similar problem with my site(not WordPress), the index page was replaced. Can you give me more details about this hack? I updated my server with the latest patches but I am not sure how the hackers got in.
8. sathya | June 25th, 2005 at 10:07 pm
bad boyssss…
anyways alls well that ends well na…
blog with renewed vigour and i shall remain an ardent visitor
sathya
9. Arjun | June 25th, 2005 at 11:21 pm
RJ : have sent a detailed mail to you!
Sathya : Thanks ! :)
Update - RJ : RJ, your mail bounced back. Please get back to me with a vaild id for more info…
Heres the bounced msg:
65.54.190.230 does not like recipient.Remote host said: 550 Requested action not taken: mailbox unavailable
Giving up on 65.54.190.230.
10. Rj | June 26th, 2005 at 10:55 pm
Sorry Arjun, I mistyped my email.
11. Arjun | June 26th, 2005 at 11:33 pm
Rj: resent the mail to your new(proper) id.
12. Friend Indeed | June 30th, 2005 at 12:55 am (subscribed to comments)
->To Eliminate Pakistan from the world map
->To see India in a position better than other advanced countries like US
Looking at the above on your website, no wonder it was hacked! In fact i’d say you were pretty lucky man…
13. Arjun | June 30th, 2005 at 9:23 am
@Friend Indeed : ……well, may be i was/am lucky.
But I did a log analysis of hack. The hacker(s) ended up on this site by doing a google search for “Wordpress 1.5.1.1″, and one of my post turned up in the top 10 results.
14. Abhinav | August 19th, 2005 at 12:12 pm
Your hacker was more polit thaen the guy who hacked my 1.5.1.1 a month back. That was just the day after the update was released.
15. Arjun | August 21st, 2005 at 10:21 pm
Ahinav, This guy did not do much damage, but even to date, ie, almost 2 months now, he/she keeps visiting the site.
Actually, these people had uploaded some php pages, which would allow them to access my site later on. (like a backdoor). I have removed it, but this guys keeps coming back every couple of days.
btw, fyi, this guy’s IP points to Pacific University.
16. Prashanth Chandra M | November 18th, 2005 at 3:54 pm
Hi Mr. Prabhu,
I am prashanth from Hyderabad - a native of mangalore. Nice to visit your blog and interesting to see your articles. well, can you give me some details on this post, as well as other such details.
Nice to know another mangalorean on the net. All the best.
_Prashanth CM
17. Arjun | November 24th, 2005 at 10:50 pm
Prashanth : can you let me know what details you are exactly looking for ?
18. Upgraded WordPress »&hellip | May 6th, 2007 at 11:45 am
[…] by my past experience, its always good to keep WP […]
Leave a Comment
Trackback |