Mar 052014
 

So, I really should check back here more often. It appears that on February 7, 2014 the FTP password for my webhost was compromised, and on the 8th the webhost reset the password for me. I never got that email.

The hacker group which identified itself as “Black CyberSec Crew” replaced my index.php file and placed one other file (that I found) with their content in the root of my site’s folder. All in all, it seemed to be a pretty benign hack, more to either underscore a weakness in the software I or my host was running, or to exploit a password that got out into the wild. (The password I had on FTP wasn’t weak, it was kind of a generic admin password I have used in the past) Whichever was the case, they appear to have just left their mark and not damaged my content (lacking as it is), or distribute malware/porn, and for that I thank them.

So, how did I recover?

I had a few concerns. First, I really have no idea how much they accomplished. Did they inject the content through a software hack? (seems possible based on the limited damage) Did they get access to FTP credentials? (seems likely because of the new file in the root of the site folder, and the web host locking the FTP account) I’ll never know for sure what they did or didn’t do. What I DO know, is that my database password, and authentication unique keys are in my wp-config.php file. Malicious or not, those had to be changed, because I don’t know if they got a look in there. Also, the FTP password is suspect, and it won’t do to leave the site admin password the same after an upgrade. But first, I need to get my site working again.

The first thing I did, was reset my database password on my host. I didn’t want the site making any changes to the database once I started fooling with it. Next I reset my FTP password, and then began investigating my site via FTP. I found the two changed files I mentioned above, and decided I’d start with replacing them. I downloaded a fresh copy of WordPress, deleted AP.php, and replaced index.php with the fresh download. Index.php normally holds no real content for wordpress site, it’s just a shell that loads your actual content. This is what I saw in mine. That seemed to fix it. An average Joe might have just called it a day, but I’m a little more paranoid than that.

Next, WordPress software had to be updated. But, being the paranoid bastard I am, I refused to log into the site yet. If the software had been compromised via FTP credentials, I wasn’t about to hand over my site admin credentials to a hacked login page. That meant two things. 1) A manual upgrade of WordPress needed to be done, and 2) I couldn’t log in to disable Plugins and Themes like they tell you to do over and over before upgrading. Ah well.

First, I followed these instructions. Once the files had all been replaced with fresh ones, I opened wp-config.php, and updated it with my new database password, and generated new secret keys at the site WordPress links to in wp-config.php. Once the password and keys had been updated, the site should have technically been up and ready to go.

error2

A theme error is all I get when I try to load the site. Well, you can’t say no one tried to warn me. I found this page very helpful. I used the FTP method, doing this rename method to my themes AND plugins folders. I then attempted to get to my login page directly again at http://cpl-shoe.com/wp-admin/, and it worked! Next, I updated my Site Admin password to a fresh pile of garbage. Lastly, I copied new plugin/theme folders from the WordPress install I had downloaded, refreshed the page to get them to show up, and then started moving, updating, activating and testing things one by one. (Things still aren’t quite right, apologies for Lightbox not behaving)

Moral of the story is, check on your site at least every time you change the batteries in your smoke detector, or someone’s gonna have some fun with it. If the person/people responsible want to talk about the how/why of what they did, I’m interested. You gave me something interesting to do on a Wednesday night, and a good reason to make a fresh post, and for that I thank you!

shoe@cpl-shoe.com
@BradSchubring

Edit:

Bonus material! I was confused as to why I didn’t find my page listed on their Facebook page, and for some reason the post seems to have been deleted.  But, I found it in Google’s cached pages.

./BL4CK E4GL3

Reddit<-- Share/Bookmark
 Posted by at 22:54

Sorry, the comment form is closed at this time.