WP v2.6.1 database hacked, but how?

  • I have WP v2.6.1 with the 3 secret keys in use in the wp-config.php file. I do not allow comments on my site. I use the Indomagz 2 theme. I keep my plugins up to date daily.

    Three says ago, when I tried to reset my domain’s account password, I found I was unable to change the password, and when I clicked on my domain server’s help forums link, I got a downloader trojan.

    I thought this was my server’s fault, until I looked at my WP database.

    Five days ago, someone got into my WP database and created two “test” databases. (I don’t even know how to do this! – and they weren’t there 8 days ago.) One database had tables with names similar to what I got from the downloader trojan. The other database contained obscene jokes, that I think are part of a future attack.

    My Norton Antivirus said the downloader was a high risk ajax exploit attack called HTTP MS Works 7 WklmgSrv ActiveX Code Execution. But I could find no info on it, even googling it didn’t help.

    I don’t use MS Works. Do any of the WP plugins use MS Works?

    I think it was my WP that was hacked.

    Any suggestions on how they got in?

    I use the Hashchecker plugin. Sometimes it returns an “all good” result in 5 or 10 minutes and other times it returns nothing even after an hour.

    No other parts of my domain seem affected, just the WP database.

    I do backups of my files and my database & run virus & malware scans on them & they’re clean.

    I thought I’d be smart and create a new db and import my pre-five-days-ago db backup into it, update the wp-config file for the new db name, user, password and host and all would be good. But I got an error connecting to the database message. I must have done the export incorrectly, although I followed WP’s directions.

    Around early June 2008, I saw an article on how to look at logs or code or something to determine hacking attempts. I think it was a dashboard link, and the article was written by a woman. But I can’t find it anywhere now. Anyone know where this article is?

    thanks.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter fried_tomato

    (@fried_tomato)

    uh, sorry, Norton AV didn’t say it was an ajax attack; it only said it was an HTTP MS Works 7 WklmgSrv ActiveX Code Execution.

    Sounds like your host’s admin page or your host account was hacked… because you can’t create an SQL database from WP… only from your host account. I’d recommend you alert your host and then change your admin password.

    THere were 2 WP hacking types: the SQL post injection/redirect and the password hackers. NEITHER created new databases, they only uploaded files and php redirectors, which is why I believe what I posted above.

    BTW, who is your host?

    You were rooted. This doesn’t necessarily mean that the hackers even gained access from YOUR account or from YOUR installation of WP. You need to change every password you have associated with your web hosting account. And it doesn’t sound like the hosting environment is all that secure, either; but these things do happen in a shared environment, unfortunately. ??

    Also, don’t delete any suspicious files from your server until your host has had a chance to look at them. I generally download them and zip them up and send them to my host in a trouble ticket.

    Thread Starter fried_tomato

    (@fried_tomato)

    pblank, if WP is hacked, what happens – a table is added within the WP db? I think “my” hackers got my login info by creating a phishing page on my server’s help page and making the domain password/username changer page show as blank. I dunno what an injection is; I’ll google it. My host – who for years has provided wonderful service and no problems to me – is bravenet.com

    argh, just a few minutes ago I deleted — w/o doing what jonimueller suggested becuause I didn’t check here first — the database w/ the not-added-by-me test databases in it.

    My domain server had stopped helping me after telling me he had no trouble accessing their password/username changer page, no one else had reported a trojan and then had asked if I had even logged in first before trying to change my password. I’ve had domains with this server for years; normally they have wonderful help. I figured I was on my own to get rid of the hackers. After deleting that database, I was going to re-install my WP files and start over.

    One of my problems, as I told my server’s help desk, is that the confirmation of a password change emails no longer come to me. The help desk had nothing to say about that.

    I changed the db password, no problem, but it didn’t stop the hacker. I finally was able to access my server’s account password changer page & changed the user name and password. It didn’t seem to stop the problem as another, a new db I created was also hacked.

    The original hacked database showed “no privileges” on the phpMyAdmin page. I couldn’t find where to allow them. The other dbs I created don’t show this, and I know the hacked db didn’t always have this notation. And the hacked database’s user table showed I and only I was granted access, so I’m confused.

    RE the new hack: After my first post here, I created a new database and imported a backup db to it. Another test database came in with it simultaneously, this time it was for a wii games message board (lots of pphbb-type tables). I deleted the hack by emptying the table (took me forever to figure that out). Like I said, I thought I was on my own to get rid of the hack.

    Thing is, even when I changed my wp-config.php file to a clean database, I still get the WP message that ” Can’t select database
    We were able to connect to the database server (which means your username and password is okay) but not able to select the database. Are you sure it exists? Does the user have permission to use the database? ….”

    I currently have an index.html page up on my site so visitors don’t see the “error in database connection” message. Would this generate the “can’t select the database” message?

    I keep thinking this is an inside job at my server.

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.remarpro.com Admin

    My suggestion:

    1. Make sure you have a backup of all your data from the database. Complete. Get a copy of the WordPress files on your site as well.

    2. Delete everything. Database, files, everything. Wipe that site clean. Delete the databases entirely.

    3. Change all the passwords.

    4. Slowly put everything back, one bit at a time.

    Basically, nuke the site from orbit and then rebuild. It’s the only way to be sure. ??

    Thread Starter fried_tomato

    (@fried_tomato)

    Thanks, Otto42, it helps to hear your approach recommended. I was already in the process of doing what you suggested, but wondered if it would do any good if the hacker was in at the root MySQL level.

    My domain server (bravenet.com) told me a few minutes ago that this wasn’t a hack, but that the problem was definitely at their end, not WordPress’s end. He said they were upgrading their SQL system and some of their test databases are being accidentally added to my WP databases in two domains I have with them.

    He also said that simultaneously with the SQL upgrade, they were changing their username/password changer, thus creating the problems I was having changing my password.

    Lol, I was right – it was an inside job at my server.

    Around early June 2008, I saw an article on how to look at logs or code or something to determine hacking attempts. I think the article was in a dashboard link, and the article was written by a woman on a blog site. But I can’t find it anywhere now. Anyone know where this article is? Or know where there’s a list of bloggers used on our dashboards?

    Where can I find info on WordPress database injection attacks, what they look like etc.? I muddle around on codex looking for info.

    Thanks.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘WP v2.6.1 database hacked, but how?’ is closed to new replies.