[wp-hackers] Website was hacked

Peter van der Does peter at avirtualhome.com
Mon Jun 17 12:35:43 UTC 2013

On Mon, 17 Jun 2013 00:48:46 +0400
webmaster at qcustodial.com wrote:

> I went to login to my WordPress site today but it was not accepting my
> username/password. It kept saying invalid username which I knew was
> valid. I accessed cpanel then phpmyadmin to find the username,
> password, and email had been changed. I used the generator on your
> site to provide a new password hash then using phpmyadmin I change
> the username and email back and set a new password. The password has
> been changed along with my cpanel and mysql passwords. It does not
> appear any changes were made other than this.
> The wired thing is the username was changed, which cannot be done in
> WordPress you have to do it in the database itself. Leading me to
> believe it was the web host that was hacked not my WordPress install.
> What are you thoughts? What else should I do?

I have been in the same boat no long ago, it actually happened more
than once. After I changed it all back(username/password) within a few
days it was compromised again. I didn't and still don't use the admin
username but the username I use for administrative purposes was changed
to admin.

After some investigation it was clear it was not a WordPress issue.
Some other site on the shared hosting got compromised and the hackers
were able to access a majority of tables in MySQL. I know for that was
it, as I did a bit more detective work.

I changed my theme to do the following:
When somebody tried to log as a admin user and it wasn't from my IP,
don't log them in. Send me an email with username, undecrypted
password , http referrer etc. With this info I was able to determine
they used a kiddie script from a certain site. That site was located on
the same shared server I was on. I got hold of the same script, it was
freely downloadble on the Internet, installed it on my server and I
could access several other sites on the shared server.

Long story short, just because you changed your username and password
back to something you know, does not mean your site won't be
compromised again.

Peter van der Does

GPG key: CB317D6E

Site: http://avirtualhome.com
GitHub: https://github.com/petervanderdoes
Twitter: @petervanderdoes

More information about the wp-hackers mailing list