October 5, 2008

There were 2 posts published on October 5, 2008 (this is page 1 of 1).

Routed

I’ve been working all weekend to seal up the leaks in MT.Net. I feel I’m at a point where things are pretty much back to normal. Passwords have been changed, databases scanned, files examined, and all possible patches have been applied. I went far beyond simply fixing WordPress: updating the operating system was long overdue, so I did the whole nine yards.

Lessons learned? Whenever strange behavior presents itself, don’t stop hunting until you’re sure you’ve found it all. Sometimes this means ruling every possible thing out, as its very tough (and also very foolish) to say “I’m secure.” Only time can answer that.

If you run a WordPress site, fire up a MySQL session and run this query:

select * from wp_users where user_login=”WordPress”;

If you find a “WordPress” user, delete it. It doesn’t belong there.

delete from wp_users where user_login=”WordPress”;

Also, you should not have entries in your user table with invalid dates. Delete any users that this query brings back:

select * from wp_users where user_registered like “%0000%”;

I found this page to be useful for the final cleanup.

If you’ve got an MT.Net account (for posting comments, for instance), please take a moment to change it.

Restored

Its been a busy weekend here at MT.Net. I’ve been cleaning up the MT.Net webhost after some script kiddies went wild with an exploit. I have a hunch the kiddies attacked an exploit in the Bad Behavior plugin, as the only blogs on my site that were running the BB plugin were the only ones that got pwned. There was a time when the BB plugin started acting funky and needed an upgrade, and it BB would be an obvious target for the bad guys. Fortunately I had copious backups. (I find it interesting that the BB website is offline at the moment.)

If y’all see anything out of place, give me a holla. Its possible I missed something.