Urgent: Someone Change Mysql Password On 20 WordPress Sites in 1 Second

Have you asked your hosts about this?

This should not , by any mean , be a “standard” behavior .
It could be , as esami suggested , a host – initiated operation, but I find it a bit hard to believe that they would do such a thing without a notice first to the users (you) …

I sent message to host. So you never have something like that happen to you?

It is one thing to hack wordpress because of bad plugins or themes or something. But to change password inside wp-config and on mysql server sounds like it must be done by host or some crazy hacker that will ruin my life.

Given that the new passwords all worked, I suspect your hosts are changing them following a recent hack.

crazy hacker that will ruin my life

at most – that hacker will ruin your site, not your life … but anyhow , even if it is the host own action, I would go now and change it AGAIN to something else , just in case .

My host gave me bad support. How to change password, lol

I tell them that 20 files were updated in 1 second and that mysql server password was updated by someone, not by me. And that i m afraid of hacking. And they reply me with a guide how to reset password if i think that someone else changed my password. But they didnt say that they changed it…

Host is Godaddy, now it could be that they are cool and they servers are secure or they dont care… so what should i do now? BTW passwords that were updated are randomly generated and each site got different password.

Reset your database passwords yourself.

That is very interesting actually . Can you tell us some details ?

1 – if the password and the sites worked , how did you noticed this ?
2 – WHEN did this happened ( you mentioned you saw the exact time )
3 – Do you have a server log of the access (ip is logged ??)

There is a really HUGE hacking attack going on in the last few day (maybe you heard in the news of Twitter , New york times, Wall street Journal, Bank of America ) – I would really like to know any further details .

If it IS some kind of attack , it is pretty sophisticated way of preparing the ground on multiple targets . I am actually going to check my own passwords now ??

I m spending my last 7 days on FTP moving files and importing 40 wordpress websites.

So i noticed that wp-config.php was edited at 12:47 and i know that i didnt edit it at that time. So i knwo somethign is going on, so i check the wp-config.php and i see someone changed my password.

Then i go check other wordpress folders and i see that all passwords are changed at same time and all wp-config.php is edit at same time.

Then i went to phpmyadmin to login with my old password, didnt work. then i used the new password from wp-config.php and i m in.

BTW database is clean and nothing is hacked (yet)

Exact time is yesterday 12:47 GMT+1.
No i dont have server log or i dont know where to look (i m on Godaddy shared hosting) But owner/group that eidted wp-dongfig.php is me.

Just a quick update:

If hacker changed my passwords then he must breach inside Master Administrator of the server and probably need to fake his own IP to be in range of Master Administrator and most probably tons of other security breaches, it is probably like hacking into bank.

I say that because i was changing my passwords and i spend 3 hours to do so. Many times damn thing didnt work, copy paste passwords dont work. There is probably a delay which need to pass to change passwords and i really dont know why i needed to use 10 passwords and not use the same password in a row for next database change.

I was so piss yesterday, it was going so slow and i failed so many times. But i think we all can be happy because we know that Godaddy have some serious security tools.

dadaas,

I’d like to have our security team take a look at your issue directly. Please log into your Go Daddy account and submit a help ticket here: https://go.me/aN

Please include as much detail as possible and include a link to this forum thread. Once you reply back to this thread with the ticket number, I can send your ticket to our security team to review what’s happened.

Thanks.
^Cj

Do you still want me to post ticket? Now everything is fine. I changed all database passwords. But if you think that is odd or weird that 40 database passwords and 40 wp-configs got updated by someone (system or someone else) then i can send ticket. But i already send and the answer was if i think that someone changed my passwords i should change them again which i did.

let me know

It is possible that someone was able to gain access to your account through your password and then make the changes. Our security team can review and determine what most likely happened and advise if they do see any security flaws in the content of the site.

I am happy to hear that all is well now. If you do decide to submit a ticket, please just post the number here and I’ll have it reviewed.

^Cj

Hi, ok, i just replyed to old ticket and included a link to this topic.

Ticket number is:
Support Question – Incident# 17760656

Thank you. I’ve sent that to our security team and they will response by email. I appreciate your time.

^Cj