Fixing my hacked WordPress database

I decided to write a quick recap on what I did to fix my WordPress database. Excuse me while I put my <Geek> hat on! Basically the perpetrator put in some malicious code that would execute every time an entry was viewed. The code bounced the end user to the perpetrator’s website (in my case, RootinG SabatogE ForceD). I took down WordPress before more damage could be done by renaming the index.php to index.old.

Step 1
Export your WordPress database so that you can edit the file manually. It may seem quite intimidating, but with the proper text editor it can be much easier to follow.

Step 2
Open up your WordPress database in a text editor. Again, I can’t recommend Context enough! It formats the document so that it is much easier to read/follow. The tabbed editing is also great to compare two files (which is how I ultimately solved the problem). Once you see the contents do a search for the webpage to which your users are being re-directed. In my case, I did a search for “rooting” which immediately brought me to the first hacked section.

`wp_categories` VALUES (1, 'Hacked By RootinG SabotagE ForceD || From Turkey', 'general', 'General nonsense.', 0, 14, 0, 0, 0);

As this is a “wp_categories” entry, I knew it had to be one of my categories. This one was easy, all I needed to do was subtitute the hacked text with my actual category name – in this case, “general”

`wp_categories` VALUES (1, 'General', 'general', 'General nonsense.', 0, 14, 0, 0, 0);

Fixed! My second category was also hacked, so I fixed that one in the same matter.

The next search for “rooting” brought me to the following:

`wp_options` VALUES (1, 0, 'siteurl', 'Y', 1, '', 20, 8, 'meta http-equiv="Refresh" content="1;URL="', 1, 'yes');

As the “siteurl” gets executed on every page view – the malicious code (in bold) executed no matter where you went! Again, the fix was quite simple, replace the bad with the good!

`wp_options` VALUES (1, 0, 'siteurl', 'Y', 1, '', 20, 8, 'WordPress web address', 1, 'yes');

The “wordpress web address” text I got from looking at a known good database. The blog name and blog description were also modified, and easy to fix. But there was one more piece of code to fix.

`wp_users` VALUES (1, 'mNt', '7a1762814efa069678b1c7bf1ced4bed39b58439', 'administrator', '', '', '2005-07-06 13:25:53', '7a1762814efa069678b1c7bf1ced4bed39b58439', 0, 'mNt');

This piece of code changed the admin username to mNt as well as the admin password. Luckily I had an old database backup that I used to replace it.

`wp_users` VALUES (1, 'admin', 'cec315e3d0975e5cc2811d5d8725f149', 'administrator', '', '', '2005-07-06 13:25:53', '', 0, 'Pablo');

If the database works the way I think it does, using the above code cec315… should change your admin password to “fixed”. I would suggest you change it as soon as you get WordPress back up and running! The above were the only instances of hacked info that I was able to find. In the end, the database was a lot less screwed up than I had expected! I would search the database a few more times for any words similar to the website your users are being forwarded to.

Step 3
Restore your WordPress database following the directions in the link provided. Once the process has completed, try logging into your database admin panel using “fixed” as your password: http://www.wpblog/wp-admin

Change your admin password immediately and hopefully you are up and running!

It wasn’t quite as difficult as I had feared, and I hope that others find this guide useful if they have a similar problem with their WordPress blog! My hunch is that security was compromised because my old host had not kept up with security updates… but who knows, all I know is I’m glad its back up and running!

Not dead yet!

Back from the dead! I was able to resurrect the full database, so no entries have been lost! As it turns out, the database was hijacked and every post sent to that crazy website. I’m assuming its from my previous host’s incompetence… but I’m thrilled that Host Maven helped get me back up and running!

As it turns out, it was a simple line of code that caused it all – a bit of detective work got me going again! I’ll post the fix tonight as I hope to help others who have been hijacked the same way!

Good to be back!

What do we do now?!

I can’t believe this actually exists! I told TK that Homeland Security was going to recruit him to be a part of the First Encounter Assault Recon team based on his adept gameplay skillz. Which immediately got me thinking about The Last Starfighter (<geek> as I told him he would be battling the Kodan Armada and that the guy’s codename was Centauri </geek>). So off on a tangent I do a Google search and I find a link to download the full version of the never released game! Download the Last Starfighter here! Fantastic!

Meet me on the steps of the Art Institute

We received another “business card” on Monday and as I was explaining to Bill, he said that the gentleman had stopped by the apartment again and rang the buzzer until Bill came down. They had a quick conversation about our downstairs neighbor (good call Christine!). As everything seemed legit and Mr. Roark told Bill that the process was being held up by this step, I decided to give him a call from my work phone. He didn’t pick up, but called back a few hours later and left a message. When I called him back he said he wanted a face to face meeting, so I told him that I worked downtown near the Art Institute. He said “why don’t we meet at the steps of the Art Institute at 1pm on Friday” – classic! So I should be getting a call from him shortly… I’m going to see if I can take a picture of him waiting for me on the steps. I should have borrowed a trench coat to wear with my sunglasses!

What does Homeland Security want with us!?

I got home last week to find the following business card in my mailbox.

Dave and TK’s mailbox had the same card. What does this mean? Is it about the apartment? Or could it be in regards to somebody we all know?! I intend to find out and report back! Do I call from my cell? Or should I call collect from a pay phone? I’m not sure if this is legit as the card is pretty hokey – so I’d rather call from a pay phone. But at the same time, I feel like if I call from a pay phone I’ll seem like I’m trying to hide something! I am quite curious as to what this is about… I though about recording the phone call then posting it, but figured I could get into a LOT of trouble…

…so I decided to Google Pat Roark – first entry is Newborn Puppy Tips… umm… doesn’t sound like the Homeland Security type. I guess there is only one way to find out!

So what do you guys think? Call direct or pay-phone?!

If a celebrity falls in the forest…

…do they make a sound? A similar question is if today’s media giants decide not to cover somebody – will that person make the news?

It was only meant to be a weeklong ban — not the boldest of journalistic initiatives, and one, we realized, that might seem hypocritical once it ended. And it wasn’t based on a view of what the public should be focusing on — the war in Iraq, for example, or the upcoming election of the next leader of the free world, as opposed to the doings of a partygoing celebrity heiress/reality TV star most famous for a grainy sex video.

No, editors just wanted to see what would happen if we didn’t cover this media phenomenon, this creature of the Internet gossip age, for a full week. After that, we’d take it day by day. Would anyone care? Would anyone notice? And would that tell us something interesting?

Though this is an interesting experiment, in the end, a week long ban is just that – a week long. I don’t think it will really change the news in any big way. Sure, I didn’t hear about her birthday party in Vegas or Beverly Hills… but, as her life doesn’t interest me at all, I’m sure I wouldn’t have read about it anyway. Maybe it wasn’t thrown out in all of the magazines or newspapers for the world to see, but does anybody really care?

I decided to do a Technorati search to see if there has been less blog “coverage” during the ban:

Posts that contain “Paris Hilton “ per day for the last 30 days.

Ok, so maybe there was a bit of a lull – bloggers posting less than 1000 entries per day during that week – it’ll be interesting to see how that changes over time.

Does this show that the media creates these monsters? Does it show that the world only cares about what the media feeds us? An interesting experiment… but wouldn’t we be much better served if they just stopped covering her all together?

If a celebrity falls in the forest… I don’t really care!