(Update: I now have an inkling as to how the hack happened, and how to prevent it recurring. See update post.)
The email said ‘Password Lost and Changed for user admin’. It was from my blog. I hadn’t touched my blog all day – all week, in fact – so this was pretty odd. I tried to log in. I couldn’t. Crap. I requested a password reset. The email never arrived. Double crap.
I logged into myphpadmin and checked the admin email address in the raw SQL. It wasn’t mine. I changed it back and requested a WordPress password reset. While waiting I downloaded the apache access logs, and a quick scan showed somebody was inside my blog and messing around with the WordPress plugins. Crappity cockity crap.
The email arrived, and I logged in. Nothing was immediately amiss. The plugins list was normal, so I figured they must be editing the theme. Again, nothing was obviously wrong, but I activated a backup theme anyway. But when I went to the front page: blank screen. So I re-activated the original, which immediately offered to update itself to the latest version. Did I want to do this, even though I would wipe out all customisations? I said yes.
I also had a full SQL backup from last weekend, so I wiped my database and restored that. Phew. I’d put out the fire. Or so I thought.
I wanted to understand what had happened, so it was back to the access log. A proper look showed a plugin *had* been uploaded, although it wasn’t a valid WordPress plugin so didn’t appear on the list. Nevertheless, the uploaded .php file had been manually run. A quick FTP check showed it was still there, and upon examination it contained a zipped file, which it was capable of extracting. Oh, cock. I deleted it. The access log then showed Mr Hacker had been messing around with…my backup theme. I examined the index.php and it had been replaced with the same malicious code. Which I had obligingly activated. So I deleted that too.
I carried on grepping the access logs, and Mr Hacker was still running stuff. He wasn’t in the admin interface any more, though he’d tried to reset the password again, but was running all sorts of files with querystring extract-to-these-directory arguments. There was some kak in the WordPress root, and when I went to kill it I spotted the www.paypal.com directory. Jesus. I deleted everything I could see, then downloaded the most recent access log: wongablog.co.uk/evil-paypal-link was already getting hits from all over the world. I tried the link in Chrome, just to check it wouldn’t work, and Google already (!) had it on a phishing list. The page itself was dead, happily.
At this point I finally remembered I could block Mr Hacker’s IP, so I did that. I tidied up everything I could find, and – currently – all seems well.
Except: how the hell did he change the admin email address? The logs show he accessed wp-config.php, then went straight to the wp-login.php and requested a password reset. My password wasn’t cracked, it was bypassed. Viewing wp-config really shouldn’t do anything. I can only think it’s a WordPress vulnerability, though I’m on the latest version.
I’m not sure of the wisest course of action. The admin account is gone1 and all the passwords secure…but they were before. I should probably wipe everything and install WordPress from scratch, just to be sure. Even so, this shouldn’t have happened, and I’m not sure how to stop it happening again. Damian’s pointed out this plugin, which is now activated, but I’m still nervous.
Hmph. I hate spammers. It’s great that WordPress thinks to email administrators whenever a password changes, but it’s still lucky I was sitting here. I’m actually on a borrowed laptop, and I’m incredibly glad I set up remote access to my home pc. Setting up FTP software would have been tricky otherwise. I think this counts as good redundancy planning. I shall, just for a moment, pretend I’m Batman.