Age of the false flag.

I never really studied security, wish I had these days. But I got hacked using common blog software too. (BBlog) There's an argument for rolling your own, if you can.

Do they just get ahold of the admin credentials somehow or is there some other backdoor? I'm guessing that people using the same username/passwords on independent sites that don't protected the users' passwords, then the hackers somehow get ahold of them and try the same username and password for the user elsewhere. But I have no idea really.

- WordPress sites are easy to identify either by HTML or maybe just "Powered by WordPress" or whatever the hell on the same page.
- The default admin page is <site>/wp-admin (although you could change that)
- The default db prefix is wp
- The default admin user is 'admin', and default password is 'pass', although in our case certainly the password was different (if not the username).

There's more shit along those lines, but it starts there. I suspect they just iterate through it until they find something that works.

Interesting that they didn't kill the whole site (go all destructive on our ass) but just invalidated a few key files so we were obviously hacked. It just so happens my wife's husband (me) could ultimately unravel it, but for the average person with a WordPress site they'd be hosed with no obvious way to fix it.

I don't remember changing it but admin/pass didn't work so I guess we're ok. I'm surprised we haven't been hacked since our username/password scheme is incredibly simple and insecure. It's just a matter of time... but I'm not the guy in charge of that. Glad you're ok and that the hackers were not overly malicious.

(I'm not that bad)

If nothing else, back it up so you can get it back to a (relatively) current state if need be.

If you have time, move the directory from wp-admin to something else.

I'm talking bare-minimum here.

- Password cracking through password combos / commonly used passwords is a favorite. Also, keywords from a page used as password tries. Password info, as you said, can also be stolen, sold, and bought. The amount of people that don't encrypt is frightening.

- exploits

- admin accounts

- Trojans and key loggers

- an unprotected backdoor exploit found and shared among hacker groups (their websites aren't as secret as the idiots think, though)

- Honestly, though, most of them think its super 1337 to use DDOS. Script kids are usually terrible hackers and only get away with it because they're in foreign countries that don't care.

those hacks sound exactly like somebody testing their exploits on the nearest available target. there's an 'app for that' for determining the platform a particular site is running on.. some apps for sql-injection and then..

..then there's metasploit..

Very immature which I suppose is why the term 'script kiddie' seems to stick so well. But, geez, if you can hack well enough to get past security, why not work on the side of good? Just defacing websites is so pointless and only shows to people that the hackers are just a bunch of assholes. I would think that would be enough to convince these people to just stop their idiocy... I really expect too much from people.

However this time I had a current backup and we were restored within minutes of discovering it.

They focus on WordPress installations - those have a separate login page - and seem to change some things in the database (probably via the WordPress admin menu - they don't seem to have gone in via the cPanel, at least they haven't screwed up anything there); they do change the index.php and the 404.php, which I assume you can do via WordPress admin. A couple of other small things. I think they just have a script that does all this.

But really, if it was just the average person running a WordPress site, they'd be hosed for a long time, maybe forever. And her site just has medical health info - nothing to do with middle east politics. Because of what I happen to do for a living I could fix it, but that's just a lucky coincidence.

I guess if I put myself back in my 15-y/o frame of mind (going back 35 years to do that) I can see the attraction, not unlike spraying graffiti I guess, but once you get to be a little bit mature, it just seems mean and pointless. Plus, this is more destructive than graffiti. Graffiti you can paint over, with something like this if you don't know how to bring back a website, that's years of work down the drain.

My Website got hacked by BD Script Kiddie Hackers

A couple of local clubs here had web sites that Google was characterizing as "possibly compromised." They had no idea what was going on until I pointed out to them they had been infected with the WordPress Pharma Hack. Neither was able to recover and both were eventually taken down. One of the posters at The Register once described WordPress as "the new Adobe" with respect to security.