WordPress MU

i awoke to a dozen alerts in my inbox. i checked my site and it said:
'HACKED BY SHIT EATER 007'

it looks like my DBs are still intact and all my files are still on the server.

more info. the index.php to my main file has been overwritten. for some reason i cant access the rest of the blogsite. when i try to access other blogs (subdirectories), i get redirected to wp-signup.php

i think i was actually infiltrated before the last release. odd posts were showing up in my archives. mine is a sports ste, but people were coming to my site after having searched for WEP Hacks, etc. i changed everyone's email address, upgraded and moved on.

as i asked before any ideas?

replaced index.php with original file. got this message:

-No WPMU site defined on this host. If you are the owner of this site, please check Debugging WPMU for further assistance.-

now my databases are gone too. before i use my back up, does anyone have an idea of how this happened? is this the vulnerability in 1.2.1 that was posted about few weeks back?

Best thing would be to check the box's logs (ie webserver, firewall, etc.) to see what occured. The index.php file should be timestanped with the last time it got modified. That should be a starting point time wise.

Issue with the xmlrpc file I bet:

http://wordpress.org/support/topic/120857

Fixed in the most recent update:

http://trac.mu.wordpress.org/changeset/994

Any more news on how they got in?

nearest i can tell, he got in thru the XML exploit. he only files affected were database files. i got the site back up, and before i could install the patched xmlrpc i was back down. this time, i inserted the patched file into the back upload and i have been good for a few hours now. the old-ass backup i used came before my last edit that mighta opened the site to a vulnerability. i'm thinking that this is it.

i'll keep you posted and i'll post anything useful from my logs.

thanks a ton demonicume.

Glad to hear you're back up and stable.

Maybe now would be a good time to start a wpmu mailing list. I don't look at everything in trac and missed this myself.

LAST PERSON TO REGISTER BEFORE MY SITE WENT DOWN:
geo_madrilenu@yahoo.com
82.79.184.199'

googling 'shit eater' brought up a bunch of sites that were hacked in similar fashion. he joins, exploits and leaves his card. but he also left an email address and some spam on another site. Seems he also pimps a pre-teen models site in his profile, and the site has a email the webmaster link.

<a
href="http://petiteteenagergalleries.com/galleries/">petiteteenagergalleries
And webmaster email:
greg@petiteteenager.com

used the IP of his site 146.82.206.40 and did a whois on Network Solutions page:
http://www.networksolutions.com/whois/results.jsp?domain=petiteteenager.com

he's some bored SOB in Westchester, CA

then i got the site back w/o the xmlrpc patch. he sent me an email with my own mass mailer and then bashed the site again:

'realsportsbloggers.com and all its hosted blogs have been hacked by 'SHIT EATER 007'

Database has successfully backed-up. It will soon be shared and uploaded online.

Have a nice day!'

got the site back up and stable with the patch. i've WPMU banned both of his IPs. looking at my logs, he'd tried to access the site a bunch of times... i'll post more info when i find it.

82.79.184.199 is in Romania for refence.

I actually get Waltham, Massachusetts for the 146.* address.

my bad, i was talking about the location of the supposed administrator.

My Blog http://thoughtfulconservative.wordpress.com has also been hacked and I have no way of regaining control, since the email I log on with (a Gmail account) is out of my control also (According to logins, the email account does not exist). Could there be some correlation? Or is this coincidence?

Better be asking the folks at WordPress.com.

'I have no way of regaining control, since the email I log on with (a Gmail account) is out of my control also'

it wont work. you need to restore you DB, and patch whatever hole he found.

Which, noting the address, is a wp.com issue. (cough cough).

@andrew...

Been thinking about exactly that. Or something along the same line.

In the past couple of days, I've considered putting up a small forum specifically for the discussion of advanced MU topics, issues, etc.

Not like to exclude the deal here, but someplace where a group of folks can collaborate on things without having to wade through tons of non-tech/low-end types of posts and such.

Something where we can essentially skip having 4 pages of discussing a solution, and end up with a single post here instead, which in turn will make it easier for people to find the answer to something.

Kinda like an aside to a conversation, then as things are resolved and such they can be added into the forum here as a brief synopsis, added to trac, or whatever.

No special domain or anything super fancy, just a little hole in the wall with a single purpose.

count me in.

Cool.

I'm setting it up at the moment, while I wait on a client to get back to me.

Like I said, nothing fancy. I 'might' blend it with my main theme, but maybe not. I dunno yet. Might just stick with a stock theme, and 'fuh-get abou tit'.

Which, noting the address, is a wp.com issue. (cough cough).

Probably guessed the password. Be sure to send in an email to support and let them know what occured.

Would you rather do a mail list? Might be easier to deal with instead of yet another forum.

maybe we can get matt to do a wpmu-forums one like the wp.org one. (I;d say org/com but I think I'm the only wp.com person on there)

Ah, that's the "genius" behind it.

It does both.

It can send out notifications, so something can be pushed out quickly (like the xmlrpc issue, or a new release notification), plus there is the conversation aspect.

Plus, it has other capabilities as well.

It's all set-up, unofficially supported, and ready to use.

Only thing I ask is that folks register using the same username they have here. You can set the displayed name to whatever, but I'd (personally) like to keep a little bit of identification so people won't have to remember that "fred" over here is "killerClownOnAmission" over there. (me = Luke, my current username here is depricated, lol)

Like I said, nothing special, but I can see it helping at least. Even if it's only that discussions are hashed out to a solution, and then posted here so that someone doesn't have to dig through 6 pages to figure out the final solution.

As a note, it is for advanced discussion.
That being said, have at it.

Edit
Oh yeah, the search function will be quite useful (once there is content). he he he

Man, you type like a girl. :D "killerClownOnAmission" ??? there goes my next username...

Heh. I was being sarcastic.

It's all good, eh?

Well, *yeah*. :P

It all comes around... he he he...

Can someone please change the title of this post? It causes me to go in fits of laughter. If I have some some kind of stroke from it, I'm gonna sue. :p

<rolls eyes>

Actually, that's what's left behind. So, I'd consider it relevant for someone that has the same issue.

It is funny though. lol

I don't WANT it to be funny, it just is. Someone searching the forums for "shiteater" makes me laugh even harder!

Um. You guys really should have some kind of disclaimer.

Well, if you woke up to that on your MU site, wouldn't that be what you search for?