On August 20, I recieved an email from my hosting provider (www.Arvixe.com) saying they deleted something bad from my directory and I was likely part of a phishing scheme. When I went to the website every page said: "hacked by Hwins2005" Bummer....
So here I am on August 23 after 20 hours of deep dives into WordPress, (opening more PHP files than God intended), a bit of Apache, every tool CPanel offered and I'M BACK! I still have a ticket with my provider which is making it's way up the queue.
This is a record of those lovely hours. I hope it is helpful for anyone that has to go through it. First however is the emotional aspect... it is a mini version of a feeling I had many years ago when my house was broken into. A feeling of invasion, violation of personal space and anger. People have this feeling and it is why privacy is manifesting itself politically, whether it's the NSA, Scott McNealy's 2009 quote: "You Have Zero Privacy Anyway. Get Over It" or Facebook data-mining your friends to get a better credit score on you... GET THE F*%$ OUT OF HERE!
So here's what I did:
TRY TO FIX THE EXISTING SITE
- Read about the first 6 or 7 search items on "WordPress Hacked" (half were advertisements)
- Logged into wp-admin and realized that my backup settings were not scheduled and my backup was months old (while fearing I was doing something bad by logging in)... more Bummer
- Ran a backup because the searches said to
- Downloaded a malware plugin and ran it ( $ to get the fix-it plugin)
- Deleted that plugin then downloaded and ran another ( $ to get the fix-it plugin)
- Ditto for that plugin
- Spent some time cruising WP directories and opening files hoping for a hail mary
- Gave up
ABANDON THE EXISTING SITE AND REBUILD ON A STAGING SITE
- Decided to build a "staging version" and was always intrigued what the performance of a WordPress stack would be on my QNAP TS-419U II NAS
- Built a clean MySQL/WordPress/Apache stack on the QNAP and the
performance SUCKED (minutes to do single digit second tasks on my hosting provider)!
- BTW I'm a BIG fan of QNAP and their hardware/software. This server has a Marvell 2GHz single core processor and it just wasn't up to managing the RAID as well as the WP Stack.
- Before the hack I was moving my trading code (C#.Net, C++, Amibroker and Matlab) to the cloud using virtual machines in Virtualbox mixing Win7 and Centos. I intended to automate the configuration and provisioning with Vagrant.
- Great stuff but realizing I was getting far away from fixing my blog, I Gave Up ( ummm..... more like postponed to fix the specific, instead of the general problem )
TRY TO FIX THE EXISTING SITE OR REBUILD AT THE HOSTING PROVIDER
- I started running phpmyadmin browsing the SQL tables and removed a bunch of users, changed my admin account Usernames and Passwords and the character code from UTC-7??? Back to UTC-8.
- Deleted (not just de-activated) all plug-ins except the most basic.
- Without a terminal on CPanel to "grep" my way through all the WP files I kept wondering how long it would take to build a diff tool to compare my site to the WP release on GITHUB. Then I found Anti-Malware and Brute-Force Security by ELI. I installed and ran it.
- The plug-in did not find the problem but gave me about 10 suspect files. I opened them with the CPanel editor and pasted the current GIT versions. When saving, the editor informs whether anything changed, two files had changed.
- I deleted my Theme and reloaded it
- I'M BACK
Whew.... probably saved $250 to have someone clean it for me but I learned alot about WordPress' architecture and improved my CPanel and overall web stack chops. I'll be attempting to harden things more going forward.