I’ve been working all weekend to seal up the leaks in MT.Net. I feel I’m at a point where things are pretty much back to normal. Passwords have been changed, databases scanned, files examined, and all possible patches have been applied. I went far beyond simply fixing WordPress: updating the operating system was long overdue, so I did the whole nine yards.
Lessons learned? Whenever strange behavior presents itself, don’t stop hunting until you’re sure you’ve found it all. Sometimes this means ruling every possible thing out, as its very tough (and also very foolish) to say “I’m secure.” Only time can answer that.
If you run a WordPress site, fire up a MySQL session and run this query:
select * from wp_users where user_login=”WordPress”;
If you find a “WordPress” user, delete it. It doesn’t belong there.
delete from wp_users where user_login=”WordPress”;
Also, you should not have entries in your user table with invalid dates. Delete any users that this query brings back:
select * from wp_users where user_registered like “%0000%”;
I found this page to be useful for the final cleanup.
If you’ve got an MT.Net account (for posting comments, for instance), please take a moment to change it.