Wordpress / MySQL Hacked

wordpress

#1

Is it possible for me to restore my SQL databases? How?

My Wordpress blog / SQL database was hacked early Saturday morning by “Kid Fantasy” It’s been over two days and still no response from support. I had a friend do a security scan of the server and this is what he found:


I think that your web server has been totally
compromised. Of specific note, there is an IRC proxy service running on port 31337 (which is 'leet-speak for elite) and a telnet servic running (Probably a back door installed for continued access). Telnet = bad, but is especially suspicious when running alongside ssh. (Which is a secure version of telnet)

I have enclosed a security scan of your website that was taken last night, printed to a pdf.

Another note. This morning I found that your DNS was broken. Even if your web site and server were working perfectly, this would still be completely debilitating.

I am downloading the backup files from the hidden .snapshot directory as I type, but am trying to findout if it is possible to restore my SQL files. Also, my concern is: if the above is not corrected and I am forced to start from scratch, what’s to prevent ‘Kid Fantasy’ from hacking my site again? Any pointers to hardening my site would be appreciated.

Thanks…

-Patrick


#2

If you keep your own backups of the mysql data, you could resotre it on your own. If not, support does keep backups, but they’re not user accessable.

As far as the IRC goes, I’'m not sure how a chat program port is un-secure, but I’m not over well informed in that area.

Telnet and SSH are prvided by dreamhost, that’s a ‘feature’. I wouldn’t call it a back door either, it’s the way you can access the shell of your server (the command line interface). Telnet and SSH accomplish the same thing, but SSH sends all your stuff out encrypted, and telnet is just plain text. The fact that telnet is present doesn’t necessarly make it any easier to gain access to your server.

The DNS issues are already being worked on by Dreamhost. That started having problems this morning. Apparently there was somethign wonky with ns1, then there was a power outage at the facilities that store ns2. I’m not sure if all issues are resolved now, but if not they will be soon.

The best way to keep your site secure, is to keep any scripts you have, like wordpress up-to-date. Often there are security holes found and fixed by updates. That’s not a perfect solution, but it’s about as good as you can get.

I hope support gets back to you soon, I know how frustrating it can be waiting. However, I feel fairly certin in saying that your webserver has not been been ‘totally compromised’. It would be much more likely that it’s just your site they defaced, and they wern’t able to gain access to the rest of the server. If all the sites on your server were out there’d be a couple hundred people complaing to support and on these forums.

Have you checked to see if they really deleted your database, or is the data still there? Log into phpmyadmin and see if there’s still tables and the like there. A lot of times the place will just deface the website, rahter than causing real havoic - in which case you can simply restore teh website from the .snapshot backups.

Hope this helps.

-Matttail


#3

Just because there’s an IRC server running on that port doesn’t mean that the server’s been hacked. If I remember correctly ports below 1024 need to be opened by root, but ports over that (including 31337) can be opened by regular users, in this case, it may just be opened by a client who’s running the program on their account.


#4

Find out how he got in? I’d try to locate that, too. To insure it doesn’t happen again.

Did he get in through Wordpress? If so, you using PHP4?!