Comments on: EtL Hack Causes Major Disruption to Service http://enticingthelight.com/2010/04/22/etl-hack-causes-major-disruption-to-service/?utm_source=rss&utm_medium=rss&utm_campaign=etl-hack-causes-major-disruption-to-service A Quest for Photographic Enlightenment Tue, 07 Feb 2012 16:47:04 +0000 hourly 1 http://wordpress.org/?v= By: Sussex photographer http://enticingthelight.com/2010/04/22/etl-hack-causes-major-disruption-to-service/comment-page-1/#comment-3384 Sussex photographer Tue, 27 Apr 2010 16:27:47 +0000 http://enticingthelight.com/?p=6266#comment-3384 Thanks for the info. I've tucked it away in case I need it some time. Thanks for the info. I’ve tucked it away in case I need it some time.

]]> By: Miserere http://enticingthelight.com/2010/04/22/etl-hack-causes-major-disruption-to-service/comment-page-1/#comment-3330 Miserere Fri, 23 Apr 2010 16:38:48 +0000 http://enticingthelight.com/?p=6266#comment-3330 That's a good question about the code in a comment. I don't think so, but I am no WordPress expert either. What I did was back up the database, change the passwords for the database, FTP and WordPress account (for both me and Peter), then do a search and delete for instances of eval(base64_decode(blahblahblah)), which had infected almost 400 files; then finally I "updated" WordPress (I was already running the latest version). At this point the site was still redirecting somewhere dodgy and I couldn't find the script that was doing it, so I disabled all the plugins and the redirecting stopped. I tried activating the plugins one by one, but gave up after the 4th one in a row came up infected--I'm pretty sure they were all infected. So I just deleted all of them and am now in the process of reinstalling them again. At this point I have again changed all the passwords. I'm pretty sure my problem was that I had some files with 777 permissions (allowing anyone to write to them), and the bots found them. I'm now following closely what WP themselves are recommending <a href="http://codex.wordpress.org/Hardening_WordPress" rel="nofollow">here</a> in regards to permissions. In order to reduce my chances of being hacked again I am also beefing up back-end security with some plugins recommended <a href="http://blog.taragana.com/index.php/archive/20-wordpress-security-plug-ins-and-tips-to-keep-hackers-away/" rel="nofollow">here</a>. That’s a good question about the code in a comment. I don’t think so, but I am no WordPress expert either.

What I did was back up the database, change the passwords for the database, FTP and WordPress account (for both me and Peter), then do a search and delete for instances of eval(base64_decode(blahblahblah)), which had infected almost 400 files; then finally I “updated” WordPress (I was already running the latest version). At this point the site was still redirecting somewhere dodgy and I couldn’t find the script that was doing it, so I disabled all the plugins and the redirecting stopped. I tried activating the plugins one by one, but gave up after the 4th one in a row came up infected–I’m pretty sure they were all infected. So I just deleted all of them and am now in the process of reinstalling them again. At this point I have again changed all the passwords.

I’m pretty sure my problem was that I had some files with 777 permissions (allowing anyone to write to them), and the bots found them. I’m now following closely what WP themselves are recommending here in regards to permissions.

In order to reduce my chances of being hacked again I am also beefing up back-end security with some plugins recommended here.

]]> By: Sussex photographer http://enticingthelight.com/2010/04/22/etl-hack-causes-major-disruption-to-service/comment-page-1/#comment-3324 Sussex photographer Fri, 23 Apr 2010 13:23:15 +0000 http://enticingthelight.com/?p=6266#comment-3324 That is nasty. My own site is based on Wordpress too so I'd be interested in knowing what was done. I'm not a Wordpress expert. What I would probably have done is back up the blog database and then reinstall everything. I wouldn't know how to do that straight off but would be able to figure it out. But then I'm not sure that would have handled everything. Is it possible for dodgy code to get into the database via a comment? That is nasty. My own site is based on WordPress too so I’d be interested in knowing what was done. I’m not a WordPress expert. What I would probably have done is back up the blog database and then reinstall everything. I wouldn’t know how to do that straight off but would be able to figure it out. But then I’m not sure that would have handled everything. Is it possible for dodgy code to get into the database via a comment?

]]> By: Miserere http://enticingthelight.com/2010/04/22/etl-hack-causes-major-disruption-to-service/comment-page-1/#comment-3322 Miserere Fri, 23 Apr 2010 12:47:14 +0000 http://enticingthelight.com/?p=6266#comment-3322 Thanks, Javier. I'm taking steps to ensure it doesn't happen again. It's not even like the hackers were after anything...and it was probably an automated hacking program, not even a person. There is no point to this type of hacking except to annoy good people like you and me. Thanks, Javier. I’m taking steps to ensure it doesn’t happen again. It’s not even like the hackers were after anything…and it was probably an automated hacking program, not even a person. There is no point to this type of hacking except to annoy good people like you and me.

]]> By: javier http://enticingthelight.com/2010/04/22/etl-hack-causes-major-disruption-to-service/comment-page-1/#comment-3316 javier Fri, 23 Apr 2010 06:12:23 +0000 http://enticingthelight.com/?p=6266#comment-3316 Sorry to hear this mis... Sorry to hear this mis…

]]>