A couple days ago, I got notice from Google (and many fine friends who pointed out my blacklisted status), that my blogs had been hacked. As has happened before, the software infects all of my blogs at once, so I had a lot of cleaning to do.
Thanks to John for his helpful post. This is not the first time my blog has been hacked, but this is by far the most thorough I’ve been in trying to stamp it out. Here are the steps I took yesterday, in no particular order:
- All related passwords changed (ftp, user, database)
- WordPress software freshly installed
- Plugins scoured for offending code
- All dormant or unused websites shut down, removed, and databases backed up then deleted. I lamented taking down some of my student work, but since I don’t really look at it afterward, it’s causing me negative time. GONE.
- Using the shell, I did plenty of grepping and finding to locate ‘open to the world’ directories and a few errant infected files. While the latter were bad, I suspect it’s the former that allowed my sites to get infected in the first place. I also discovered several seemingly viable files (with names like ‘https.php’ that were evil, and a couple directories that had been chmodded so I was not allowed to read or write in them. Inside? evil files.
The only opening I see is if my database itself has offending code in it. I could not find any pages that discussed either how to diagnose or to fix corrupt databases themselves, so I’ve backed up the newly clean sites entirely, and will do a complete reinstall if I get infected again — and will have to figure out how to figure out about corrupted mysql files.
Ugh. Oh well, I’ve requested a review from Google, so hopefully you’ll find my site un-blacklisted sometime soon. Enjoy.