Over the weekend, I spent several hours cleaning up yet another hacker who had infiltrated my server account. I became aware of him only after upgrading a couple of my WordPress installations from 2.5 to 2.5.1, only to find that the version number shown in my dashboard still showed 2.5. I searched the WordPress support forums and didn’t find anything useful for awhile – until I came across a link to this “blog entry”:http://wordpressphilippines.org/blog/has-your-wordpress-been-hacked-recently/ detailing the symptoms of a known hacker and how to look for and clean up after him. Sure enough, I found the presence of an unwanted text file, as well as a WordPress user who only showed up in the DB (and nowhere else) and an active plugin (that also showed up only in the DB and nowhere else) that pointed to a file in the tmp directory at the root of my server account. I’ve had to go through every database and certain tables to find traces of this guy and purge him out. Most of the WordPress installations on my account are still offline as I work through changing passwords to the DB and user passwords to WordPress and bring each back online one by one. It’s time-consuming and messy.
Interestingly, solving this problem also remedied problems I’ve been having the new WP 2.5 Media Uploader. A couple of weeks back, the uploader suddenly stopped working, asking the user to login again while trying to upload a file and then returning a 404 error and failing on the upload. I thought the problem was with WP 2.5 itself, but now I believe it to be another symptom of this hacker’s presence in my system. I’m happy that things are working better now, but I’m going to be much more vigilant in the future to this sort of tampering. I highly recommend reading the above linked article and checking your own setup for the presence of a hacker.
Sometimes I think hackers deserve their own special corner of the hot place.