Browse > Home / Design / The sad tale of my hacked site

The sad tale of my hacked site

Let me tell you the tale of my hacked site.

A couple of months ago I noticed that my RSS feeds weren’t validating. I was getting these weird ?? all the way through and people couldn’t grab my feeds properly. A closer look revealed at the bottom of my index page source code - a bunch of links that I didn’t put there.

Shocked I went to the Wordpress Forums to ask for help.

They immediately advised me to check the permissions of the folders (which I had changed to allow a plug in to work) and then change the passwords of my database and blog which I did but the links still showed up.

Then someone on the forum suggested my database had been hacked.

I emailed the Marvellous Meg who suggested I talk to Simone who had had a similar problem.

Simone did have a similar problem and solved it by upgrading her Wordpress files.

Meg contacted another friend of hers who suggested I:

(Step 0: Backup everything)
1: Is PHP running as an apache module or CGI? (If running as a module, anyone on the shared server
can get to your database contents)
2: Delete all the files in my account (Even if you’re using extra files eg theme files, if they’re on the server someone else might be able to access them)
2.1: Reinstall wordpress (latest version)
2.1b: Use the wordpress default theme to ensure that the theme itself isn’t a security hole
2.2: Reload wordpress database
2.2b: Check that there are no other admin accounts in the database

However, in the meantime I started looking in the database to try and work out what had been hacked. I did find some weird files but in deleting them managed to create an error in the term_taxonomy table which meant my categories were disabled. [error 127]

I looked at my latest back-up - which had been made before I’d upgraded to WP 2.3 - and saw a wp_categories section which I didn’t have in my current database. PANIC. I must have accidentally somehow without knowing it, deleted the categories table.

This was a red herring.

So while I was panicking about that I decided to follow Meg’s friend’s advice and delete EVERYTHING on the server and start afresh.

Now, I’ve been blogging for 5 years in various forms so there was A LOT of crap. I transferred everything to a thumb-drive and spent a Thursday evening deleting everything.

Then I uploaded a clean version of Wordpress 2.3.1 (thought I may as well upgrade at the same time).

Amazingly - that fixed the problem of the nasty links and fixed my RSS feeds at the same time.

There must have been some hacked code in some of those old files.

But I still had an error showing in Wordpress, and I couldn’t assign or see categories. So it was back to the database to try and work out what I’d done and whether I could restore the wp_categories section.

Well it turns out the new version of WP doesn’t have this section in the database at all! (I worked that out by installing a new WP blog on a new database and comparing tables carefully)

All I had to do was repair the table, which is very easy to do in mysql. Simply select the table you want to repair - or select all - and click repair table. Of course I only worked that out tonight after days and days of agony!

So my blog is restored. The passwords are changed every week now and the database backed up every Monday (Maintenance Monday!).

It has been a valuable learning experience. :)