11 Feb, 2008
A hacker came by with c99madshell v. 2.0 madnet edition
Posted by: admin In: Asides| blog updates| wordpress
*Update: Okay, I think I located the potential entry to the WP-Forum, which I have read having some security issues coming up lately. It has now been removed from this site. * 
Alright, not really what I wanted to happen on a Monday evening.
I came home, and just before I started to make dinner, I went to check my mail, in there was a mail from an advertiser that an ad was not showing, and naturally I went to the site to check.
Lo and behold, my site was hacked, and the hacker installed the c99madshell v. 2.0 on my domain.
Searching for information I found only vague information, and never really found out how the ‚Ǩ#”%”‚Ǩ# hacker came in.
I started by updating my Wordpress installation to the latest version, and then went hunting. I found the script in my themes folder, where it replaced one the .php files.
The only information I found that gave any clue to where to look was here: http://www.devside.net/blog/smf-exploit-like-phpbb-hack
I included below screenshot, which is from the same blog-entry (credit where credit is due) since I focused on removing the hack instead of documenting it. I hope the owner does not take offence.
Removing it was fairly easy once I knew where to look, but I had to have a serious look around to see where it was hidden.
So, what did I learn from this? To backup, backup often, and to always update my Wordpress installations.
Have you had a visit?
