Tuesday, February 12, 2008

I have been hacked and not sure what to do now

As if working full time, commuting, and having 3 kids were not hard enough on the whole blogging habit, I have been hacked now.

These pathetic fools have hacked my blog - http://nikas-culinaria.com and my main reaction is .. how can I fix this in the 15 minutes I really do not have before I rush off to work.

*sighs*

I need a wordpress fiend who can give me some strategies for diagnosing what they mod'd

I know a lot about wordpress but I do not want to nuke this theme and install, I reaaaalllly do not. All I have right now is FTP access.

This Post was written by Nika from Nikas Culinaria

7 comments:

meathenge said...

You should be able to call the people that host your site and have them reload the backups from yesterday. Bam!

Biggles

nika said...

biggles - hmmm will see thats possible...

sketchy said...

And of course -- change your passwords

Anonymous said...

Nika, like biggles said, hopefully you can rollback via backups from your hosting provider.

If you have FTP access, you can look at the modification dates of your WP core files and theme files to see which files were changed. If there are any database changes, that's going to be a little more time consuming to uncover.

A couple of tips for the future...
1) Password protect wp-admin folder, which is done via .htaccess and prompts for an additional username and password to get to the Wordpress Admin.

http://blogsecurity.net/wordpress/article-210607/

2) Restrict access to wp-config.php and other files and folders using .htaccess

3) Never post as Admin user

4) Remove Wordpress version string/number in your header.php file. Hackers use the version number to target sites.

5) Change your admin passwords (obviously) and FTP password. And use a secure FTP client, such as WinSCP.

There's a whole bunch of other things you can do in the future to protect yourself. If you have any questions or need assistance, drop me a message at sndster [at] sundaynitedinner (dot ) com

Kalyn Denny said...

Nika, very sorry this is happening to you and even more sorry that I don't have any idea what to do. I'm glad others are offering help. Good luck!

Owen said...

chuck has you covered I think - it is REALLY worth the time to follow all his steps - even if they are hard. You've been hacked once - unfortunately that makes it more likely they will try again sometime - but I see you are at least back up again - don't hesitate to post more questions here to get answers about fixing themes etc on your way to recovery

nika said...

thanks all.

from what I can tell by having gone through the database is that they did a mysql injection hack.

had to do a fresh install of 2.3.3 and revert back to an old theme.

they never changed any files.. their hack was, as I said, an injection.

I have hardened the blog a lot and some of that is likely what is clashing with my most recent extensively customized theme. Will take time I do not have so it will be a while before things were as before.

backup from my host was never an option (with the plan we have)

I had already checked for time-stamped footprints via FTP by the time I had written here .. this is why I was frustrated because it was proving to be more elusive than simply getting my ftp password (which thnk GOD didnt happen)

I am still working on the admin as poster thing .. when I migrated from blogger a large block got labeled as admin and I never had the time to go back and deal with so many posts.

thanks again to all for your kind words and much help.

I just wish I had a more robust theme but I knew it was too precious when I had to spend so much time on it.... bleh.