Don’t Panic

As I’ve mentioned in my January Top Entrecard Dropper’s post, my wife’s blog including the forum was hacked. I was promoting the site to one of my friend in Singapore when I noticed the main page was showing a different page. Being a technical guy, I did not panic but I was so concerned about the data of the site, most specially the forum. And to top it all, I don’t want to face  the ire of my wife if she learns about the hacking.

Report to the Authority

I have no recourse but to report what happened to her blog. To my surprised, I did not hear any “furious winds” from her.

First Step: Damage Assessment

The moment I’ve learned about the hacking incidence, I immediately called our webhost provider if they can do something about it. They replied that they have encountered the same problem before and they recommended to upgrade the WordPress version that PinayMom are using.

I downloaded the latest WordPress 2.7. from WordPress.org and  strictly followed to the letter the instructions on upgrading WordPress.  I deleted everything except for the wp-content folder , that’s the where the plugins and themes folders are located, and I was extra careful to preserve wp-config.php as well.

Unfortunately, the trick didn’t work. After the supposed “upgrade”, the problem still remained. The “hacked” pages is still being shown on the blog and on the forum main page. I could not even login to the wp-admin page!

Check Other Criminal Profiles

I turned to Mr. Google to find the same pattern of hacking, but Mr. G did not return any helpful solutions. It seems my wife’s site was the first victim of this group of hackers.

I even checked some of the entry on the MySQL database, if there were inserts or new table that were created  but I could not find any trace.

After 2 or 3 more sleepless nights, I decided to delete everything, including the plugins, themes and all the root pages except wp-config.php which I know contains the database configurations of the site. Lo and behold, the hack was still there even if I uploaded a new copy of WordPress 2.7.

Still Clueless

I was clueless on what to do.

Finally, I decided to put everything offline. I was determined to create a new database. I copied wp-config.php locally and just change the content on it to reflect the new database configuration that I was about to create.

Crime Scene Evidence

And to my surprised, when I opened wp-config.php, I noticed the content was changed. It was totally altered! Not only it was modified, but the wordpress database configuration was all gone! What the ….!

Boom! Gotcha!

The hackers hacked the the wp-config.php file. Their fingerprints was all over the crime scene. They’ve totally messed up the file. Below is the image of the crime scene.

Scene 1:
Scene 2:

The hackers knew what file they needed to hack in order to be undetected, far from the radar sight, knowing that a user won’t change or delete the wp-config.file. As you can see, I was so careful not to touch wp-config.php file. Aside from the wp-content folders, wp-config.php is the last file that you wouldn’t suspect the hackers will use to do their dirty job.

Recovery: Solutions

And this is where the good backup works! Good thing, I have a local copy of this file on my hard disk.

Not only I upgraded the wordpress to 2.7.1., I am now regularly backing up all my blogs. So I suggest to all bloggers and website owners not to take the backup lightly.

Blogging is fun but don’t let the hackers destroy your work. Keep your blog in top and working condition!