Fixing my hacked WordPress database

I decided to write a quick recap on what I did to fix my WordPress database. Excuse me while I put my <Geek> hat on! Basically the perpetrator put in some malicious code that would execute every time an entry was viewed. The code bounced the end user to the perpetrator’s website (in my case, RootinG SabatogE ForceD). I took down WordPress before more damage could be done by renaming the index.php to index.old.

Step 1
Export your WordPress database so that you can edit the file manually. It may seem quite intimidating, but with the proper text editor it can be much easier to follow.

Step 2
Open up your WordPress database in a text editor. Again, I can’t recommend Context enough! It formats the document so that it is much easier to read/follow. The tabbed editing is also great to compare two files (which is how I ultimately solved the problem). Once you see the contents do a search for the webpage to which your users are being re-directed. In my case, I did a search for “rooting” which immediately brought me to the first hacked section.

`wp_categories` VALUES (1, 'Hacked By RootinG SabotagE ForceD || From Turkey', 'general', 'General nonsense.', 0, 14, 0, 0, 0);

As this is a “wp_categories” entry, I knew it had to be one of my categories. This one was easy, all I needed to do was subtitute the hacked text with my actual category name – in this case, “general”

`wp_categories` VALUES (1, 'General', 'general', 'General nonsense.', 0, 14, 0, 0, 0);

Fixed! My second category was also hacked, so I fixed that one in the same matter.

The next search for “rooting” brought me to the following:

`wp_options` VALUES (1, 0, 'siteurl', 'Y', 1, '', 20, 8, 'meta http-equiv="Refresh" content="1;URL="', 1, 'yes');

As the “siteurl” gets executed on every page view – the malicious code (in bold) executed no matter where you went! Again, the fix was quite simple, replace the bad with the good!

`wp_options` VALUES (1, 0, 'siteurl', 'Y', 1, '', 20, 8, 'WordPress web address', 1, 'yes');

The “wordpress web address” text I got from looking at a known good database. The blog name and blog description were also modified, and easy to fix. But there was one more piece of code to fix.

`wp_users` VALUES (1, 'mNt', '7a1762814efa069678b1c7bf1ced4bed39b58439', 'administrator', '', '', '2005-07-06 13:25:53', '7a1762814efa069678b1c7bf1ced4bed39b58439', 0, 'mNt');

This piece of code changed the admin username to mNt as well as the admin password. Luckily I had an old database backup that I used to replace it.

`wp_users` VALUES (1, 'admin', 'cec315e3d0975e5cc2811d5d8725f149', 'administrator', '', '', '2005-07-06 13:25:53', '', 0, 'Pablo');

If the database works the way I think it does, using the above code cec315… should change your admin password to “fixed”. I would suggest you change it as soon as you get WordPress back up and running! The above were the only instances of hacked info that I was able to find. In the end, the database was a lot less screwed up than I had expected! I would search the database a few more times for any words similar to the website your users are being forwarded to.

Step 3
Restore your WordPress database following the directions in the link provided. Once the process has completed, try logging into your database admin panel using “fixed” as your password: http://www.wpblog/wp-admin

Change your admin password immediately and hopefully you are up and running!

It wasn’t quite as difficult as I had feared, and I hope that others find this guide useful if they have a similar problem with their WordPress blog! My hunch is that security was compromised because my old host had not kept up with security updates… but who knows, all I know is I’m glad its back up and running!

3 thoughts on “Fixing my hacked WordPress database”

  1. Hey, thanks for the post. My WP got hacked too. It appears to be the database as well. So I basically did what you did, renamed the index.php and will follow your steps to search and repair the dB.


Leave a Reply

Your email address will not be published. Required fields are marked *