DVD Guide Blog

I have moved DVD Guide’s hosting to its own user account to minimize damage due to any further WordPress exploits (the hacker on Friday gained access to the file system and defaced several sites hosted under a single user account). Although this is my only site that currently uses WordPress, security vulnerabilities may be present in any software, so hosting isolation may be prudent for all of my Web sites.

Initially, I had WordPress prepare its database tables anew, but after being unable to find any content and setting import and export functionality built into WordPress, I deleted the newly prepared tables then restored the old ones (sans the user account created by the hacker and with my own user level restored, of course) and changed my password again for good measure (it reverted to the old one when I restored the old database). I am not completely comfortable using the old tables as I do not know what other damage the hacker may have done to my database, but until I have a tool or time to restore only known-good WordPress content and settings without breaking any inter-table references, metadata, or who knows what else, it will have to do.

I noticed some strange things when exporting my WordPress database, including that WordPress has not actually deleted comments that I had it remove from the site after I found them to be spam. How strange.

Ryan Boren, one of the WordPress developers, got back to me about the breach and he thinks it may have been due to the known vulnerability in WordPress 1.5.1.1 despite their corresponding “Security Update” page saying “if you’re running the default template”, which seems to ascribe the vulnerability particularly to that configuration. Hopefully, that was it and WordPress 1.5.1.2 will prove more resilient.

My installation of WordPress was hacked last night. I have deleted the previous installation and installed the latest version, 1.5.1.2, but I do not know if it will be any more secure since the vulnerability 1.5.1.2 fixes from 1.5.1.1 may or may not be related (obviously, I have not been using the “default template” mentioned in the May 27th “Security Update” post in the WordPress Development Blog, but that does not mean that the same vulnerability may not also affect other templates, such as those in the Blix theme).

I am not yet certain about the point of entry, but I have had some suspicions. A new user account was created even though I have always kept the user-creation functionality of WordPress disabled. Thus, I first suspected the user-creation system because I received a user-creation notification e-mail marked 8:40pm and because hacker-uploaded files and hacker-modified files had modification times after that, but now I have my doubts because wp_users.user_registered was set to “1999-01-01 03:40:06″ for the new user account (the wp_users.user_registered value for my own account is “0000-00-00 00:00:00″, which is also rather odd, but probably normal for accounts created during WordPress installation) and because one of the hacker programs connects to MySQL itself.

Strangely, the user account created by the hacker does not show up for me when I click on “Users” in the main WordPress menu; when I do, I see only the “Your Profile” tab with my own profile and my “Level” set to 4. The corresponding field in the database, wp_users.user_level was set to 10 for the hacker. I do not know what my level was set to before, but I suspect it was higher since clicking on “Upload” then “options” results in the following unlikely message for an administrator:

You do not have sufficient permissions to access this page.

Could the breach have been through the upload system? I will continue to look into it, but if you have any further information, please feel to share what you know in the comments.