Hacked

The best thing you can do to prevent future exploits is to ensure that your Wordpress software (and any other software for that matter) is up to date.

If it is that you are running the latest Wordpress, check any other custom written scripts and other software that you may have running. The server logs may be helpful in finding out how exactly the attacker gained access.

You may also want to take the opportunity to change all passwords on the system.

From the image I see that the files belonging to your Wordpress installation belong to www-data. Is there any particular reason for that?

Should they belong to a different user? I'm still pretty new to server management, still learning.

Were you using the timthumb plugin?

@Praefectus:

Were you using the timthumb plugin?

No I was not, but after checking my access logs I noticed some files with that name were uploaded, also I believe the theme I have used an older version of it. I updated it.

I've gone ahead and lower a few permissions, changed all of my system passwords, change my db prefix, installed a few system scanner plugins and got rid of all the infected files, would there be anything else I could do to patch a security exploit?

Update: Researched the timthumb plugin, and found out about the exploit. I've updated it, I guess that's how they did it.

Are you using FTP to manage your site? Do you use Windows at home? It's quite common for viruses to steal FTP passwords from Windows PCs.

As for ownership and permissions, only the "wp-content" folder should be owned/writable by the "www-data" user. Everything else should be owned by some other user, so that even a hacked plugin can't touch any critical files. But this makes it slightly difficult for WordPress to update itself from the admin page. You may have to update it manually from the command line or configure WordPress to update itself over FTP .

Using Ssh. Thank you for the explanation, I've gone ahead and made the changes.

I actually managed to copy one of the scripts that was uploaded,

http://pastebin.com/zd2ETfXh

Not too sure what it did though, would I need to change anything?

@theflame12:

Using Ssh. Thank you for the explanation, I've gone ahead and made the changes.

I actually managed to copy one of the scripts that was uploaded,

http://pastebin.com/zd2ETfXh

Not too sure what it did though, would I need to change anything?

That script seems to be able to send email with optional attachment, but I only gave it a quick look.

> As for ownership and permissions, only the "wp-content" folder should be owned/writable by the "www-data" user. Everything else should be owned by some other user, so that even a hacked plugin can't touch any critical files. But this makes it slightly difficult for WordPress to update itself from the admin page. You may have to update it manually from the command line or configure WordPress to update itself over FTP .

+1

@nehalem:

@theflame12:

http://pastebin.com/zd2ETfXh
That script seems to be able to send email with optional attachment, but I only gave it a quick look.
It also seems to extract e-mail addresses from your database so that they can be spammed. It's probably looking for e-mail addresses that people submitted with their comments, etc.

I don't think it's meant to infect anything else, though. Did you also save a copy of the "mysql.info.php" that it mentions, or did this file not exist? (Script kiddies often use simple scripts to look for and break into vulnerable websites automatically. If the script encounters an error, it may just abort and move on to the next site. So it's not uncommon for exploits to be uploaded only partially.)

No sorry, I was in such a rush to get everything cleaned up that was the only script I was able to retrieve. I do remember there being about 4 or 5 other infected files that I found though.