So you might have noticed I was hacked prettily nastily on this site and a couple of others. I’d taken my eye off the ball and not done a really close inspection of my WordPress┬áinstalls in a while, as well as being a bit lax in updating the moment a new version was out.

So What Actually Happened?

A couple of files have been snuck into theme and plug-in directories that allowed upload and editing of other files. If you find the files r.php or temp.php anywhere in your WordPress install you might want to check on them.

Through these, a file called function.php was added, full of evals and base_64 encrypted code. The regular WordPress functions.php and load.php had been modified to include the function.php file. This then replaced the normal blog content with all manner of spam.

The Cleanup

With the help of the fine folks at Sucuri, all the corrupted files were put back to normal and the backdoors plugged. I also deleted all unused themes & plugins (unfortunately the otherwise very useful Dreamhost One Click Installs do litter the place with “extras” you might neither want nor need).

For anyone investigating similar hacks, the Linux command to find recently edited files is find . -mtime -1. This will show you anything edited in the last day (replace the 1 with a different number to give different number of days). Though there are ways around the Linux file times, a cron job checking for recently modified files is helpful to keep an eye on things.

Useful Links

We’re in Cork this week, celebrating our anniversary and looking forward to both the Rugby World Cup quarterfinals and a close friend’s wedding at the weekend. We’ve never visited here before so it’s been nice to explore the city … and to eat our way round it!

Food so far has not disappointed, with an excellent pancakes with bacon & banana breakfast at Liberty Grill and a gorgeous ribeye steak at Strasbourg Goose particular highlights. Intending to keep up the gastronomic exploration over the coming days…