I got hacked... ah crap

Zascar

So a site I did for a friend has just been hacked. It's for his car repair business. Just a wordpress site but many hours gone into it.

I just went to the site and now all that is there is this:



I'm going to get him to call his hosting company tomorrow and see what the story is, but how does this happen? It's just a basic site to give him a web presence, I cannot understand why anyone would want to hack it.

The wordpress login page is still there but the passwords have been changed.

yoyo

Zascar wrote: »

So a site I did for a friend has just been hacked. It's for his car repair business. Just a wordpress site but many hours gone into it.

I just went to the site and now all that is there is this:



I'm going to get him to call his hosting company tomorrow and see what the story is, but how does this happen? It's just a basic site to give him a web presence, I cannot understand why anyone would want to hack it.

The wordpress login page is still there but the passwords have been changed.

Its unfortunate, there are scumbags out there unfortuneately and a out of date install/module could have weakened the sites security, to reset the password in the database try THIS but those guys probably added lots of other virus trojans and other crap into the sites db & source, you may need to go back to a backup unfortuneately, your web host may have a backup for you, make sure you take all steps to secure it if they do to prevent this again, also make sure directory permissions are set right, and use 644 permissions over 777 if you can for folders needing read/writing

Nick

WebGeek

I feel your pain. One of my sites was hacked a few years back but it was an idle undeveloped site. I learned my lesson from it though. I never use the default username (like admin) and use stronger passwords but they don't have to be over the top.

Also a good idea not use test installations of software in separate folders in your server directory. Hackers use these as a gateway to the shell prompt by hacking the vulnerabilities in older (un-updated) software.

cormee

My condolences.

This happened me a few years ago too. I'd spent about 4 months building a site. It was ready to launch, so I took a holiday to celebrate, when I got back it was gone, completely disappeared. The hosting company shut down the site until they could find out what had happened, they never did, and the makers of the software behind it were completely disinterested.

4 months down the drain just because some pasty-faced little pissant felt he could compensate for his social inadequacies by destroying something someone else had created.

murphaph

would it not be standard practice to have a copy of all files saved locally so you can simply replace them if they get hacked/deleted etc? we have a test server and a live server in work here. We have everything on the test system that runs on the live so if the live was hit by a bolt of lightning etc. we could just redeploy from the test.

Bacchus

murphaph wrote: »

would it not be standard practice to have a copy of all files saved locally so you can simply replace them if they get hacked/deleted etc? we have a test server and a live server in work here. We have everything on the test system that runs on the live so if the live was hit by a bolt of lightning etc. we could just redeploy from the test.

My thoughts exactly. Just keep everything backed up.

That sucks though what happened to your site.

zoudards

some people think they are feckin' smart .. cyber vandalism ... the charter forbids me to write what I truly think about that kind of behaviour ... >:(
I feel your pain Nick ...

hadepsx

absolute asshuuls, f ing geeks/nerds got nothing better to do. ur gonna have to start again with better secuirity, obviously:(

Zascar

I was just planning on upgrading to Wordpress v3 this weekend too. It was on 2.9 anyway so not sure how they got in really. Hopefully won;t be too much work to get it back online.

If it is all gone and I have to build again, I was thinking of trying to find the old site on Google's cache. However, I cannot find it at all - unless I'm looking wrong.

I never did any work on seo really as it just was not necessary, the site was not there to attract new business via web searches etc - just as a point of reference for existing customer etc.

Any idea how I can check if there might be a cache'd version of the site anywhere?

aidan_walsh

Search Google for "cache:" and it will give you the most recently cached version. Other than that check something like The Way Back Machine as it may have something too.

yoyo

Zascar wrote: »

I was just planning on upgrading to Wordpress v3 this weekend too. It was on 2.9 anyway so not sure how they got in really. Hopefully won;t be too much work to get it back online.

If it is all gone and I have to build again, I was thinking of trying to find the old site on Google's cache. However, I cannot find it at all - unless I'm looking wrong.

I never did any work on seo really as it just was not necessary, the site was not there to attract new business via web searches etc - just as a point of reference for existing customer etc.

Any idea how I can check if there might be a cache'd version of the site anywhere?

Who is your hosting provider? Sometimes they can be at fault aswell, also try and remove powered by wordpress etc from your site as these hackers probably find vunerable sites through google that way, also check out your permissions set on the server, this could also be a issiue, youd probably be able to re-use the database once you do the thing i mentioned above changing the password, but you would need to be sure there is no vunerable code or stuff in it, try the wordpress forums see if they have a security forum you could get more advice in

Nick

Trojan

Couple of ways to deal with this. If you have a known good backup, then use that. (if not, install BackupWordpress next time - set it to email backup to a gmail account).

You need to get in to the database (usually via control panel), back up the database (label it clearly as the hacked version), then reinstall WP from scratch, after changing DB passwords etc. Then re-import the posts and pages after setting it up, but don't import users. Then go and ensure all content is clean.

You might find this useful: http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

Post specific questions and we'll answer.

Eoin

Am I being naive to think that using a htpasswd file on the admin folder can cut down these hacks considerably?

Webmonkey

eoin wrote: »

Am I being naive to think that using a htpasswd file on the admin folder can cut down these hacks considerably?

Would be no harm but that's http authentication. Still doesn't stop someone executing a script with dangerous permissions in some other directory causing destruction or FTP access.

Evil Phil

Been a busy little bee it would seem: http://www.google.ie/#hl=en&source=hp&q=ShaDow-D3v1l&aq=f&aqi=g1&aql=&oq=&gs_rfai=&fp=9cecc39bcc0391e3

Sucks that people do this.

zoudards

if you go down the search results you just posted ... you can find this website :
http://inj3ct0r.com/

It seems to group exploits people have found .. "for educational purposes" that idiot's name is in there .. might be useful to check if your system is in there and what the exploit might be ...

Zascar

Would they have done that manually or did they create a script or something to do it? What is the best way to protect against this happening again?