Yup, I was hacked. Before I get into it, I have to say I'm disappointed in WordPress. It should be designed such that when you first install it (or reinstall as was the case with this little screwup) that there is no way to accidentally allow someone to hijack your site.
Nuff said. So here is what happened. Friday while I was at work, I went to my AXORiON.com web site, as I have a notes web app running on it; just some handy scripts or command line options I use frequently at work and home. When I went to my page, I noticed a new WordPress (WP) setup page came up. This was bad because I hadn't been using WP in a long time, probably a couple years. I had tried it way back, but decided to just use my home brewed CMS system. So I thought no big deal, I would deal with it later when I got home. I didn't get to check on it till Monday, and by then it was too late. I had already been hacked at some point over the weekend. In fact, both AXORiON.com and 8BitCoder.com were hacked. This is what the page looked like on Monday when I went to my site:
So I ssh'ed in and took that down and started poking around. I managed to find a few suspicious files:
index.php js.php b18047
index.php was obvious, as it had a bunch of UUEncoded crap at the top of it.
And a closer look at that urlgz line:
I haven't tried decoding it, but my understanding is that PHP can decode that crap and then execute it as a script.
However, the worst offending file was js.php. It provided the hacker with the ability to list and upload files.
The hacker had actually tried to get back in by re-uploading the index.php before I had finished my cleanup. After I replaced the index.php file a placeholder, I stepped away from my desk, and when I came back, my site was showing the hacked page again. The little pee brained snot head!
My hosting provider has a very convenient feature called one-click installs. This lets you install something like WordPress, and it will keep it up-to-date. If there are major updates, it will automatically install the latest version.
I had stopped using WP, and had my own index.php file in place. But I hadn't removed the WP files, or the one-click install setting in my providers hosting panel.
So when the automated update ran, it clobbered my index.php file with a fresh version of WordPress. This caused my site to start showing the new WP install page, which is pretty much a wide open system.
Because the system was in a setup state, a hacker saw it, and he was able to hi-jack the new setup. Apparently he managed to point WP to his own database, then use WP's own ability to allow files to be uploaded. I don't yet know how that happened since I don't use WP very often.
So there you have it. I'm much happier with my own CMS, which also inspired me to make a few improvements to my CMS system. I cleaned up the look just a little, and added the Like/Dislike buttons to pages and news articles. Feel free to use them.
Copyright © 2019, Lee Patterson