WordPress 2.5 hacked – need help to stop hacker from returning

From what version did you upgrade? Your story doesn’t indicate that it has something to do with 2.5. As a matter of fact, besides an extra user and a crashed table, where’s the hack? Did you see if there are files corrupted, do you have spam anywhere on your site (whether visible or not), redirects, adds that shouldn’t be there? I see nothing such on your site. As far as I’m concerned, most of the things you experienced could be due an unlucky upgrade, but of course the new user is a strange one. Question is, what was the hacker planning to do than just create a user (did you ever manage to crash a table while working on the dashboard?), but then again, maybe (s)he plans on coming back. If you don’t trust things (I wouldn’t), a good start to monitor things may be Whooami’s plugin. (She doesn’t seem to be around to suggest it herself, so allow me.)

Good luck, and do keep us posted when your discover something.

Btw. The Ask Apache Password plugin may make you feel more secure. It adds an .htaccess password to your admin, config, etc. folders.

if this was actually a hack, then 2.5 has a security problem

Gangleri, thank you so much for your response. I upgraded from WordPress 2.3.3 — whichever was the most recent upgrade prior to 2.5. I’d been conscientious about taking care of upgrades right along.

It is odd that there was a new admin. Plus the fact that the upgrade, which I completed on Saturday, went just fine, and this issue didn’t appear until very late Monday morning. Just weird.

Thanks for suggesting Whooami’s plugin. I’ll check that out. A friend just suggested the Ask Apache Password plugin, but I was a little daunted because it looks, judging from the comments on the site, like I’d need to monkey around with file permissions to be able to install it properly.

Thank you again for responding. I really appreciate it.

IF this was a hack, my idea is that it was there in the old version (that is probably not 2.2.3 or 2.0.11). If that’s not the case, there might be a serious problem for all of us. Wingedmonkey, please enlighten us.

[edit] I was typing this at the same time as Wingedmonkey, so I hadn’t read that post yet. [/edit]

I use Ask Apache and it works like a charm.
If I were you, I’d just wait a few days and see if something strange happens, install Whooami’s plugin to keep track on things, have a look around your logs and scan through your files for anything fishy and all that just to be on the safe side. I’m still not sure if this was actually a hack, but of course I wouldn’t take the chance.

If it was a hack of 2.3.3, then there’s still a problem if it wasn’t through another side on a shared host or by misuse of a plugin. Be sure to update those too!

Gangleri, based on the date/time stamp for the creation of the new user account (which was shortly before my site apparently went down), it looks like this happened after I installed 2.5, not before.

For what it’s worth, the blog is on a shared server and not a private one. If that’s the case, then I imagine that’s something my host should be worried about.

I had the same thing happen to one of my blogs. My blog is on a private server. I am digging through the logs now to see if I can find anything. Something is up as others are reporting this happening to them as well. – https://www.idratherbewriting.com/2008/06/22/first-time-site-was-hacked/

Edit I was running 2.6 not 2.5 when this happened. I had recently upgraded from 2.5 to 2.6

Sorry everyone, I just noticed that was a month ago!! I need more coffee before I get all excited. Still do not know what is going on with my blog but the wp_options was corrupt, I got the “your new wordpress blog is ready” email

Happened to me twice this last weekend. Both blogs were hosted on the same account. Separate wp_options tables.

I had one person register as a new admin user. He is a regular, legit, honest, trusted blog reader. As far as I can tell, he went to my blog (AFTER it was down/damaged), saw the log in box, got confused (probably not reading the text) and created his own account. After I fixed the blog, I deleted him as a user/Admin. Thus…I’m 99.9% sure that the new Admin I could see on my blog wasn’t a “hacker” that destroyed my wp_options table.

If there was a hacker…it must have been someone else. ??

This must be a trend or something because my blog has just started doing this today also. I posted a separate question about it earlier. My host is godaddy and I have had problems with the sql before but never this bad. What can be corrupting these tables?

One thing that happened in the incident…all my pages were converted into posts. Yes, it sounds weird, but that is what happened. FYI in case someone else gets hit by this.