Posts from September 2009.

Yikes, I’ve Been Hacked!

Guess who got hit by the WordPress worm that’s been doing the rounds?!

Ironically, it all kicked off as I started to work on the site in preparation for moving to a brand new format.

While Integrity was doing it’s thing, checking that I’d converted a load of fully qualified links to relative ones before doing a wget archive for posterity, I started to notice a lot of bad requests for pages that really should be fine.

When I hopped over to my site it was blank. Uh oh.

Luckily I still had another tab with the WordPress console open from where I’d been updating a few posts, and that seemed fine. As I browsed around I noticed a few strange things though.

First I noticed that I was getting some weird text in the upper right of the admin console, that later turned out to be the “Hello Dolly” plugin, which had been activated (not by me).

I then noticed the most scary thing, my post count was less than I expected. Instead of 173, it was 145, where had all the rest gone? Within a minute the count was down to 133, someone/thing was deleting all my posts.

I quickly killed Integrity, which stopped the deletes, and continued looking around the WordPress console. I found that all my themes bar the one I had had active were gone, and the one remaining was inactive. That’ll be why the site was blank then, there was no theme to render the site with.

Having remembered that Andy Ihnatko had been hit by the worm I went to his site and gathered as much info as possible about what the problem was and how to recover from it.

Luckily, I’d done an export from WordPress just the day before, so I was able to simply drop the infected database and create a clean one, download WordPress 2.8.4, install and configure from scratch, import the WXR file and copy across my unaffected images.

If you’re running anything less than WordPress 2.8.4 do yourself a favour and go directly to your WordPress console / Tools / Export and get yourself an export without looking at your own site. Get a copy of your wp-content folder quick smart. Then upgrade to WordPress 2.8.4.

You don’t want to waste approx 4 hours of your life to this mess, and you definitely don’t want to lose all your posts.

Tomorrow (actually, that’ll be later today considering the time) I’ll be going ahead with the move to a simpler site setup I had planned and was gearing up for already.

See you when the dust settles.