[Nottingham] We've been hacked/cracked! THREE times!!!

James Green jkg at earth.li
Wed Jan 29 20:58:51 UTC 2014

On 29 January 2014 08:59, Martin <martin at ml1.co.uk> wrote:
> Folks,
> FYI:
> OK, so our WordPress site has been attacked, from what looks to be three
> attempts! All on 21/01/2014 and 28/01/2014.
> The unexplained part is for how a number of ".php" files were uploaded.
> However, despite a few thousand hits from various (soon blacklisted) IP
> addresses, their logged attempts to access the rogue php returned
> nothing more than a "403"...

Hi Martin

It's Moveable Type rather than Wordpress, but you might find some
similarities between your case and what happened to
http://blogs.perl.org/ last week. Limited details are at
http://blogs.perl.org/users/meta/2014/01/security-breach.html but
essentially from speaking to people closer to the issue, a flaw in MT
allowed the attacker to upload some PHP files, execute them, and
extract the contents of the database -- specifically, the user table.

Is your Wordpress fully updated? I noticed mine just auto-upgraded
(nifty feature!) to 3.8.1, so it might be worth making sure...
Hopefully the route by which the files were uploaded is closed in the
latest release.

Someone recently described WP as "a remote shell with a convenient
blog engine plugged in" -- but the auto-updater makes me a little less
nervous about mine!


[Re-sending from the right address this time, hopefully!]

More information about the Nottingham mailing list