Rising from the ruins once again. About a week ago I opened up the site and learned that it had been crapped on by hackers. Here’s what apparently happened, as far as I can piece together from what has been posted online: Network Solutions, where I host this blog, had their file system permissions set up such that users could read each other’s root directories. I connect via FTP and can only see my root directory, but the attackers apparently found a way (ssh or something else) to read other directories on the volume. That let them read the wp-config.php file in my wordpress install, and that let them get the database login and password.
They then overwrote the value of the siteurl option in the wp-options table with the url of an iframe that sucked in a bunch of links that they wanted to get SEO bumps on. In addition they dropped a file named users.js in the js folder under wp-includes, and that’s probably not all. I didn’t detect any malware installation attempts, but I have seen reports that others who had this hack did have install attempts, so if you visited the site and saw the messed-up homepage I would suggest scanning your system. I’m sorry for any inconvenience that might cause you.
Repairing this mess required reinstalling WordPress, themes, and plugins, cleaning the database, changing all the passwords, and debugging a number of issues caused by the fact that some plugins that were installed when the attack occurred were older than the versions available when I rebuilt the site, and I did not have a known-good backup. I’m not going to bash Network Solutions because over the last four or five years I’ve found them to be a pretty good host, and would say that they have provided good value for my $12 a month. I do hope this doesn’t happen again, because it’s a major pain in the ass.