Comments on: ChattyDM.net domain hacked

By: ChattyDM

ChattyDM — Mon, 18 May 2009 20:40:23 +0000

Just a quick note to tell you all that all sites have been cleaned out, thanks to my good friend Eric Maziade. I owe him big!

Also it appears that the threat was server based.

Now I need to do some serious backups!

By: ChattyDM

ChattyDM — Mon, 18 May 2009 16:03:03 +0000

I do have a recent backup and I’ll restore the site as soon as I get my hands back on it. Thanks for the tips and I’ll email you real soon to get your little program to protect against injections. Thanks GameDaddy.

By: GameDaddy

GameDaddy — Mon, 18 May 2009 04:12:47 +0000

WordPress is full of holes…
http://codex.wordpress.org/Hardening_WordPress

If you’re lucky you’ll have a dated backup of your wordpress site you can reinstall once you have deleted all the current files on your site.

If not, It would probably be best to re-install your server, php, & wordpress from scratch.

You can of course, go through all of your files and delete the inserted script strings. Hopefully no vital php has been deleted during the injection. Easiest way for this is to install a copy of wordpress locally and compare php files. PSPad is a very good editor for doing this, you can do side-by-side comparisons of files, with any changes highlighted.

If your site is hosted on linux with Apache, let me know, I have a very good .htaccess file that will block most script injectors, even if they are coming from a shared server. The last attack on my gaming website brought down one of my servers for about four hours, but once the server was brought back online and the php re-installed, my own website & filespaces had been untouched.

If you are on a shared server , I’d recommend a dedicated one. Dedicated servers generally cost about $100 more a year than a shared server, however the only vulnerabilities with this are in your own files, and in the files on your dedicated server. You don’t have to worry about some other junior webmaster loading a facebook app with a script that hacks into your filespace.

Also, turn your website logging on and run a script that copies the logs off your website to a holding area every hour or so… You can easily identify if the attack was made directly into your website from the net, or if the attack vectored in from the server, or another shared webspace on the server.

Finally, If you are running Windows or Linux yourself, for your own connection to the Internet, the Wireshark is your friend!

By: Stuart

Stuart — Sun, 17 May 2009 11:56:02 +0000

This is very likely a security exploit on WordPress, and once in they can add the code to any WP installations on neighbouring server directories. Make sure you reupload all of your WordPress files (for all sites) and ensure all your plugins are up to date. Remove any unnecessary / unused plugins as well.

Get these plugins:
http://wpantivirus.com/
http://wordpress.org/extend/plugins/wp-security-scan/

And consider these tips:
http://www.dullest.com/blog/three-tips-to-protect-your-wordpress-installation/

Good luck!