So I got hacked, 3 hours ago….

First it sounds like you would not have rights to delete the database or even Drop all the tables.
Second (more importantly) you may not have rights to create a new one and/or import the backup database. You did say you have a Backup of the DB? Would do an Export/backup of the database right now if you can. Yoiu can then atleast view it in a text editor.

Remember all your posts, pages and config are in the database.

seems that table may have been deleted by the hacker, it may not be an access issue. the MP tech guy I’m chatting with reset my permissions and i still couldn’t do anything. he can’t even find that table in the database.

I asked and he agreed deleting the old database and starting a new one will work, but I’ll loose my posts. I did do a full back up via cpanel like you suggested. will that have my posts in there or will I loose all that?

that’ll be extremely annoying but not critical since i don’t have a LOT of stuff on my blog yet and am revamping it somewhat anyway.

You can view the backup of your database in a text editor. It might be gzipped and you will need to unarchive it. Would view it yourself for the posts. Don’t take the tech’s word for it. But if in fact the table was deleted and your only backup was the one you JUST made then they are gone. Possibly other portions of the database are also gone.
If the table was actually deleted then have to beleive either it was a break-in to your cPanel (doubtful) or they had shell (telnet/SSH) access to the server. So before rebuilding your site, might be time to move to a new host. You will have no way of knowing if MP fixed their security issue. Sounds like the hacker obtained root access based on your not able to manage the db.

I’ve sent midphase this thread [also see this thread](as did @awhitemage) and have been in communication with them and so far have been very helpful for my situation.

If you’re one of the people that have had your site hacked at midphase in the last week+/-, and had your wp username & password changed, please email jgriffiths [-at-] westhost [-.-] com and:

“tell me which files exactly you saw as hacked during your instances so that we may know where the hacker was targeting and probably the vulnerability. Also, can you please provide us with the domain names of the other clients who were seeing hacks so we can see if there was an correlation between them all? Please let us know.”

Well, it happened again. I implemented a bunch of security protocols (based on WordPress Defender by John Hoff) but I got hacked again. MP customer support just said there was no way it could be them and it had to be my error because of bad passwords, etc. Looked like a form letter response with minor tweaking for me.

I also tried emailing the guy idahsto8 mentioned but haven’t received a response in 5 days. I’m going to forward him my correspondence with MP and see if something can be done.

Then I’m going to cancel my service with them and go elsewhere. This is ridiculous.

I password-protected my wp-admin directory (using the cpanel) and haven’t been hacked again, yet. So until I switch from Midphase to something else, that seems to be a good “solution”.

I made the following security improvements & haven’t been hacked again, yet. Note: I haven’t password protected wp-admin like @awhitemage.

I found this person who had a similar type of hack. They made several changes. The one I changed was the wp-config.php permission to 400.

I added these to my public_html .htaccess:

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>

# DENY PUBLIC ACCESS TO YOUR php.ini file
<Files php.ini>
order allow,deny
deny from all
</Files>

# DENY PUBLIC ACCESS TO YOUR php5.ini file
<Files php5.ini>
order allow,deny
deny from all
</Files>

# QUERY STRING EXPLOITS
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|?|”|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(“|’|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
RewriteRule ^(.*)$ – [F,L]

Very cool. Thanks to both idahsto8 and awhiteimage for the ideas. I’ll try those later when I have a chance (at work now). I really appreciate the fast response, too.

I’m about to email the westhost guy to see what he says.

sorry to hear that you got hacked, maybe it was something like in this video youtube.com/watch?v=HJKsWoLj45c these guys are smart they always find new ways to hack something, probably because they have nothing better to do in their basements.