Lessons learned

2009 April 9
tags:
by Drew

If you’ve tried to come to this site in the past week or so, you’ve probably noticed that it has been in various states. At first it may have set off your virus alert program, then maybe it was just the default WordPress template, or maybe it was just blank. The reason for this, as you’ve probably guessed, was because my WordPress install was hacked and I was trying to get things stitched back together.

One of my connections on twitter was the first to alert me (Thanks again, @dartdog!) that something was fishy about the site.  An error message was warning him that the site was trying to download a malicious file.  When I took a look, there was an iframe being added to the end of the html (after the </html> tag).  This iframe was then trying to download some nasty file that was masquerading as a pdf.

After voicing my problem on twitter, one of my friends from UA (and more recently twitter: @spencerwyatt) was quick to respond with a very helpful email that pointed out some potential causes of the problem, as well as a couple of ways to go about fixing it. I’m very appreciative for his time and insight regarding my problem.

So, the first place that I tried to locate the culprit of the issue was in the database. After a few google searches I found that the “options” database table is where you can sometimes find traces of malicious attacks. After thoroughly scanning this table, I decided that this table had not been compromised. I then moved to the comments table; again, nothing turned up. After scanning some more tables, I came to the conclusion that my database must have been unaffected (cue relief).

About this time I received a fantastic email from Dreamhost that said sometimes in attacks like this files on the server will get changed to include the malicious code. It said this usually happens when CMSs, etc, do not have the most recent version (at the time I had not upgraded to the most recent WordPress version). I looked for any file(s) that had been updated more recently than others, but nothing really stuck out. However, at this point I decided that, because the database was in tact, I would just do a fresh wordpress install.  My theme was only slightly modified (and wasn’t really my favorite anyway), so I didn’t even save off my theme files.

Because Dreamhost is awesome, it took less than a day to delete everything from my directory and get a fresh install in place. After making a quick edit to the wp-config.php file to make sure it was pointing to my old tables, the site was back in action.  A few minor modifications to the theme and my world was happy again. 

So here they are, the lessons I’ve learned:

  1. BACKUP, BACKUP, BACKUP (there are even plugins for it)
  2. Keep things up to date (I had gotten sloppy and it could have been worse than it was)
  3. Keep the directories organized (this made it much easier to get stuff I wanted to keep before the reinstall)
  4. Did I mention to back everything up regularly?

This may have been a big pain in the neck for me, but it served as a good reminder just how important it is too keep things secure.  If you aren’t backing up regularly (I’m looking at you, me), then you are just tempting fate.  Don’t be stupid like I was; keep your stuff up-to-date and backed up.

from → Experiences

No comments yet

Leave a Reply

Note: You can use basic XHTML in your comments. Your email address will never be published.

Subscribe to this comment feed via RSS