I checked my blog this evening and discovered that every page redirected to some stupid malware site (offline now, was http://scanner.antivir64.com/?aff=1050). It was immediately obvious that I had been hacked. Fuck, that’s a first.
It took me about 30 minutes to get the site back to normal and start investigating. WP 2.6.1 has just come out today, so I updated immediately and changed my WordPress password. I also changed my cPanel password, though that was
probably hopefully unnecessary.
How Did the Hack Happen?
After I found the redirect I immediately checked the .htaccess file. My intuition was right – the original WordPress .htaccess rules had been deleted and the file was configured to redirect any user with a non-empty referer to the site mentioned above ( http://scanner.antivir64.com/?aff=1050 ). Unfortunately I was too anxious to get the site working again and didn’t think to save the .htaccess contents for later examination.
Next, I checked if there were any other changed files besides .htaccess. In Linux you can do it with this console command :
find . -mtime -1 -print
That command will show the files changed within the last 24 hours. In my case there were no other suspicious file modifications in my public_html.
The next thing I did was download and examine the server access logs. However, I wasn’t able find anything of use because the earliest entry in the log was from 11:30, and the hack was already in effect then. I’m not familiar with the default log policy for my server so I don’t know if if this absence of useful logs is coincidental or deliberate.
I will contact my hosting company and see if they can provide any additional info.
I feel it’s too early to try and make any useful conclusions. At the moment there is just a general feeling of unease and a quiet voice in my head whining “I told you you should make backups! You got off easy this time, but think of what might happen if the hacker was really malicious?!” (yes, even my inner voice talks like that).
Personally I suspect the hacker used a WordPress vulnerability or a plugin bug to get in. Hacking my cPanel/SSH/whatever would be much harder, in which case the hacker probably wouldn’t have confined himself to a mostly-harmless .htacess modification upon succeeding.
If I manage to find out anything else I’ll post about it later. Otherwise it’s back to “our scheduled programming” of infrequent and mostly random postsRelated posts :