Has your blog been hacked?

While not a MySQL topic, as most of my readers view my MySQL Blog, my WordPress blog has been hacked? Has yours?

Like many, I’m sure you may have read about it like at WordPress blogs under attack from hack attack but I was surprised when my custom permlinks did not work.

Being surprised I looked at Administrator accounts, and I found that there was one more number then being displayed in the list. I had to dig into the database to find the problem.

mysql> select * from wp_users where ID in (select user_id from wp_usermeta where meta_key = 'wp_capabilities' and meta_value like '%admin%');
+-----+-------------+------------------------------------+---------------+------------------------------+---------------------------+---------------------+---------------------+-------------+--------------+
| ID  | user_login  | user_pass                          | user_nicename | user_email                   | user_url                  | user_registered     | user_activation_key | user_status | display_name |
+-----+-------------+------------------------------------+---------------+------------------------------+---------------------------+---------------------+---------------------+-------------+--------------+
|   1 | admin       | $P$BHZFK/prDplb/W/024yrH49JvAmmCE. | ronald        | ronald.bradford@xxxx.xxx.xx | http://ronaldbradford.com | 2005-11-21 23:43:47 |                     |           0 | Ronald       |
| 127 | ronald      | $P$B..e75VtFsv9bUGj5H5NTiXXPQIitr1 | ronald        | ronald.bradford@xxxxx.xxx    | http://ronaldbradford.com | 2009-02-22 20:13:33 |                     |           0 | ronald       |
| 133 | ChaseKent87 | $P$Bl8cVSzBums33Md6u2PQtUVY2PPBHK. | chasekent87   |                              |                           | 2009-09-05 06:36:59 |                     |           0 | ChaseKent87  |
+-----+-------------+------------------------------------+---------------+------------------------------+---------------------------+---------------------+---------------------+-------------+--------------+
3 rows in set (0.00 sec)

mysql> delete from wp_users where ID=133;
mysql> delete from wp_usermeta where user_id=133;

However the damage has been done, and an update to the recommend 2.8.4 is unlikely to fix the data corruption.

Being a good DBA I have a nightly backup of my database. Being a diligent system administrator, I have not 1 copy, by 3 copies of my system, one on my web site and two offsite.

The problem is I don’t keep older backups of my data, only a day old version.

Comments

  1. says

    Thanks for posting this, prompted me to check and notice that I was affected in the same way. I can’t see any impact though, besides the fake admin users of course are now deleted.

  2. says

    What you need is a versioned storage engine (a bit like SVN or BZR) so you can rollback rows over a long periods of time.

    In my last job I wrote a script to create hourly backups, we kept a few of those every day, and a few of those every week, and a few of those every month…. So we had backups of old data just in case. You could probably combine this with my work in WL#4783 for an awesome backup system.

  3. Jens says

    content=”WordPress 2.7.1″

    However, you still are using an old Version of WordPress. Nothing learned? It should’nt be too hard to update …

  4. says

    For backing up my blog, I like to use the WordPress Database Backup plugin:
    http://www.ilfilosofo.com/blog/wp-db-backup/

    I have a scheduled backup running that emails me the backup file, so I have an offsite backup with zero effort.

    If you don’t want to send it to your email, it can also save to the server, you just have to write a little cron to check for new backup files and SCP them to your offsite location of choice.

  5. says

    I tend to dump out all of my MySQL databases – not just my blog, and then store for a few weeks (6 in my case). Obviously, this does depend on storage being available to do so. My server runs under Debian, and I ship off to one server on one day, and another server on the next day. Using ssh keys, it means that it’s all done automatically from cron, every three hours.

    cd /home/backups/
    rm -rf sqldump*
    mysqldump -u root –password= > /home/backups/sqldump-$(date +%y%m%d%H)

    Then, this from crontab:
    15 */3 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,31 * * scp -i /home/backups/scpkey /home/backups/sqldump* username@server1:
    15 */3 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30 * * scp -i /home/backups/scpkey /home/backups/sqldump* username@server2:

    It seems to work pretty well. Not had any issues with it as yet.

    Gary

  6. says

    Er, I’d enclosed some bits in square brackets there which clearly didn’t work. The mysqldump line should’ve been:
    mysqldump -u root –password=(password) (database) > /home/backups/sqldump(database)-$(date +%y%m%d%H)