Spivi

24 later and we’re still hack free, it seems like we’re safe now.
It looks like the hacker/script is attacking via SQL injection, having the ability to read the tables prefix, change the site title and add a text node with simple html redirection.
It could be WordPress core or one of the plugins we use, I don’t think it’s related to webhostingpad but only time will tell.

@cbouchard, I do use webhostingpad.com… hmm.. makes me wonder.

To determine if get re-hacked I’m checking the website’s Title tag using the perl script below.

If you have nagios, run this script like this:
perl check_title.pl https://your_site_url “The title you are expecting to get”

Here is the source of the Nagios script:
#!/usr/bin/perl
use strict;
use HTTP::Request::Common qw(GET POST);
use LWP::UserAgent;
my $url = shift;
my $html_title = shift;
if (!$url) {
print “URL is missing”;
exit 3;
}
if (!$html_title) {
print “html title is missing”;
exit 3;
}
my $ua = LWP::UserAgent->new;
$ua->agent(‘Mozilla/5.0’);
$ua->timeout(10);
my $random = int(rand(9*time));
my $req = POST $url,
Referer => $url,
Content => [
‘r’ => $random
];
my $answer = $ua->simple_request($req);
$answer = $answer->as_string;
my $tmp = (split(/\<title\>/,$answer))[1];
$tmp = (split(/\<\/title\>/,$tmp))[0];
if ($tmp ne $html_title) {
print “Title is not $html_title!”;
exit 2;
}
print “Ok.”;
exit 0;

@cbouchard, after having the exact same problem from the same hacker and got re-hacked over and over again in the last 36 hours, I followed @cwinkler78’s instructions plus moved wpconfig.php upper in the directories hierarchy. I then changed the WP tables prefix again.
I also wrote a Nagios script that determines if the site is being hacked by the same hacker so it won’t take long to fix the site if bad things happen.
All have been done a few hours ago, I’ll post again if I get re-hacked.

@cbouchard, do you still experience this re-hacks ?