The MU forums have moved to WordPress.org

WordPress MU Forums » How-To and Troubleshooting

Dreamhost's WPMU site has been hacked (2 posts)

  1. jolaus
    Member
    Posted 16 years ago #

    Hi all

    Last friday I receive a mail from Dreamhost staff telling me that my hosting server was crashing a bit too frequently. They said that it appears to be over utilization of the
    CPU processing time. They send me some information that I did not understand very well. Something like this:

    "The entire server should be at no more than 2000cp so being at almost
    800cp is around 40% (that's not really appropriate for shared hosting). I
    did some investigating as it's quite often a bad IP or bot
    (http://wiki.dreamhost.com/Finding_Causes_of_Heavy_Usage) and found this:

    28 86.143.167.201

    29 209.189.130.130

    29 86.157.244.107

    32 84.40.22.45

    35 89.123.151.254

    46 66.249.66.35

    106 85.86.111.31

    147 91.3.218.212

    9274 208.113.244.19

    scipio: 04:25 PM# pwd

    /home/jlacalle/logs/jakintzazu.net/http

    That IP is your own apache server - it should never show up in your
    access.log and the fact that it is there indicates that you have a loop
    in your code (perhaps on your index page somewhere that it references
    itself) or in your .htaccess file for the site if you have one. This
    causes major performance issues and so I have had to disable the domain
    until you can correct this."

    So I checked my site via ftp and I was very surprised when I found in the root some folders named i-play.org, mpva.com.au, saru-san.com and spam1999.sytes.com that there were never be there. I also found another one named Maildir with three subfolders: cur, new and tmp. The second one was full of extrange files with extrange names (1201111203.V1bI31e335e.scipio.dreamhost.com, for example).Finally, inside my WPMU instalation folder I found a very extarnge file named "Core" that there isn't any relation with WPMU.

    I have never been in a similar situation but I think that this means that my site was hacked.

    I have deleted all those shitty folders, I have updated WPMU to the last version (from 1.2.5a to 1.3), I have changed my admin access password but the issue isn't fixed yet.

    This is the first time that I have to face up to something like this. This morning I've made a database copy and another one of the entire site.

    So what do you think is the best way to fix this problem? What can I do? Any help would appreciated

  2. SteveAtty
    Member
    Posted 16 years ago #

    It does sound like you were hacked. I suspect that if WPMU had such a big hole in it then it would be going down all over the place.

    Sounds more like a host misconfiguration leaving big security hole.

    All my WPMU files and directories (apart from those needed for uploads and cache etc) are not owned by the apache runtime user.

About this Topic

  • Started 16 years ago by jolaus
  • Latest reply from SteveAtty