Learning While Aging

Web site hacked

My site was hacked on June 28th, 2011 around 8:00pm. How I found out? Here is the story.

When I tried to access my site after coming back from a vacation, I noticed there is a PHP error at the bottom of the page as this:

PHP Warning:  Cannot modify header information – headers already sent by (output started at /home/{username}/public_html/blog/wp-content/plugins/all-in-one-seo-pack/aioseop.class.php:221) in /home/{username}/public_html/blog/wp-content/themes/gray-and-square/footer.php(2) : eval()’d code(216) : eval()’d code on line 1

I thought the theme file is somehow corrupted, so I tried to log into my site to fix the theme and I was surprised that my site kept telling me my credentials were wrong. Finally I decided to reset my password, but was shocked when I got the password reset email showing my username is “user”. No wonder I could not log into my site.

After I reset my password, I changed the username back to my previous one directly from the database end because WordPress does not allow anyone to change their username.

The change of username, not by me, makes me believe that my site was hacked, so I did more investigation in the file system. There was no surprise to find out that a suspicious file was uploaded to my public_html folder called us.php. This file gave the hacker full control of my site, and here is a screen shot of the execution of the file:

BlogSiteHacked

The timestamp of the folders show that the “imgs” folder was modified, and indeed there is a file that will turn my site into a phishing site. Obviously, there is some security hole(s) that enabled the hacker to upload us.php to my site and then gained the full control of the site. The question is where the security hole(s) came from? I have been keeping up with the latest WordPress all the time, whenever a new version is released, I will update my site to use it. The only possibility, then, is the third-party plugins I have been using.

Here are the plugins I use in my WordPress blog:

  • Akismet
  • All in One SEO Pack
  • cforms
  • MCEComments

To me, the vulnerability most likely came from All in One SEO Pack, though I am not 100% sure. And it seems that someone else has already complained about the security vulnerabilities in this plugin. You can check here.

Now my site is back and running with All in One SEO Pack disabled. I will be more careful in the future when choosing a third-party plugin for my site.