My WordPress got hacked (yesterday)……

sorry to hear what happened, and not to rain on your parade, but while I would certainly keep whatever “ban” you have in place, you probably ought to know thats theres a very good chance whoever it was was not using their real IP when they did whatever they did, and similarily won’t use their real IP should they decide to make a return visit.

The easy availability of proxies almost insures this.

To make sure that you were correct in your observation about using 2.0.5, I checked your site in Google’s cache, and yeap, on 11/17 you were using 2.0.5

While im not personally aware of security issues within 2.0.5 that doesnt mean there are none, obviously. A security issue within a plugin could certainly be the cause, as well.

Without a list of plugins you were using, complete with version numbers, its hard to say though.

You mentioned that sitemeter caught them.. i’ll assume then, that your apache logs caught them as well. Any requests to your site made via a browser are going to be in your Apache logs, and that information would go far, very far, in narrowing down their point of entry.

You have the IP. I would do 2 things.

One, I would share that IP here.

And two, I would be looking through my Apaches logs for THAT IP.

If, in fact, this was a limited breach of your site via the web, and not something that occurred server-side, through your host, youre going to want to know how they got in.

If you need help, feel free to contact me via the contact form on my site or at just email whoo@ my domain.com (obviously, use my domain, its linked off my name here on the forums).

Im always up for nailing a hacker.

Thanks for the reply. The IP’s that sitemeter caught was this: 196.202.61. and 196.202.69.

How do i look through the apache logs? I’m sure its in the cpanel; but i’m not sure how to go about looking through the apache logs. I think i will need your help after all. Thanks again for helping me out on nailing this hacker.

through cpanel…

click that link that says “Raw Access Logs”

the second best thing to do, and this is more reactive than procactive, at this point, is to enable monthly log archives.

THATS done, via the link that says “Raw Log Manager”. This allows you to ftp in, and download the entire month’s of logs in the event the “Raw Access Logs” link doesnt have that data available.

The IP’s that sitemeter caught was this: 196.202.61. and 196.202.69.

Unfortunately, those arent complete IPs, but they both point back to Egypt. Without the last octet, there’s no telling whether or not they were proxys.

Yeah, I had the raw log manager enabled prior to getting hacked; so the monthly logs are archived. When you say to go into the “Raw logs manager” how do i ftp then download that month’s archive. I’m not sure what you mean by proxies either. I’m not to familiar with proxies. i just know about IP’s and that’s it. ??

well thats great news, that means that you will definitely be able to see what they did, if anything.

Since you archive logs, ftp in (ill assume you know how to do that?), go into /logs/ and download this month’s log. Thats what you need.

Using a proxy is a way of hiding your real IP. Spammers use them, malicious hackers use them.. people that dont want to be traced use them, in other words.

Again, if you need help, drop me a note. I also have msn messenger, but im not giving that info out here.

I’m not sure how to ftp in the logs. I’m sorta new with the whole Ftp thing….

do you have an ftp client? If so, thats what you use. If you dont have one:

https://www.google.com/search?hl=en&q=ftp+client&btnG=Google+Search

i have cute ftp 7 professional.

thats what you need.. your host gave you some info, ftp info, thats what you use to ftp in. should be some site info, an ftp login, and a password.

I downlaoded it and i’m seeing the https://ftp.mysite-ftp_log

but when i put in the https://ftp.mysite-ftp_log and my password it gives me an error. i think i’m doing it wrong though.

i cant help you with whatever you are doing wrong here as far as that goes. You may need to re-read whatever instructions your host gave you, or contact them.

I never got any instructions from my host when i downloaded the log files or any info to put in to get the ftp logs. I’ll try contacting my host again.

I have been talking with my hosting about my recent site hack and they told me this:

There are some cases of XSS attacks on these type of applications, which are essentially used to steal confidential data from a user. If your site uses cookie based authentication, then this could be possible. It is often better to utilize scripts which are session capable, and store the authentication token in the php session, since it is stored server side. You may want to check that out with the wordpress folks. It stops most XSSs, as cookie data is often the target of XSS attacks.

Also ask the wordpress folks if they know of any good mod_security rules to protect WordPress. I have not really found any WordPress specific rulesets, just general rule sets which apply to more SQL injection attacks.

So do any of you know any mod_security rules to protect wordpress?? Any feedback would be appreciated!

im happy to share what I use, but its going to be fairly generic.

Mind you mine seem to be doing the trick all the same.
(Knock on wood)

Any luck with those logs?

Those are inevitably going to show whether or not your host is being “on the level” about all of this.. its realllly worth the extra effort to get those.

Yes, my host/support& abuse team did the ftp logging for me; and they didn’t say much about it (yet); they asked me if they hacker returned and I told them they the hacker did return; and they said i had some unstable scripts prior to getting hacked (for example and ask n’ answer script was very old and unstable and had alot of vulnerabilities in it). So they told me to delete any scripts that would be unstable and to change my password in my cpanel/ftp/wordpress and that’s pretty much all they said about that.

I am still discussing it with my host though.