So, Dreamhost offered a ‘one-click’ upgrade to WordPress 2.5. I hadn’t had problems with it before so last night I did the “one-click” upgrade. I went to bed.
This morning, I find a bunch of undeliverable emails in my inbox and notice that the from/return address is “email@example.com.” And the main page of my blog is a link to a comment on geni.com offering to sell viagra and it was the default WordPress theme with the “Hello, World!” post.
My questions, which I’ll ask Dreamhost about, are:
- Was the upgrade botched?
- Was my installation hacked?
- My “old” site (dreamhost will attempt to back up your old installation so you could revert back) didn’t work as many of the files were missing.
At this point, I had one of those “oh shit” moments were I’m thinking whatever happened, my database is gone and I don’t have a recent backup.
In my wordpress installation directory, all my files and plugins appear to be there and my wp-config file looks okay…
Then I find it. There is a different prefix on my mysql tables:
$table_prefix = ‘wp_ufgeai_’;
Sure enough, in addition to MY tables in MY database I see the “new” tables.
I had already dumped my other tables and saw they were still there, so I simply removed the ‘ufgeai_’ from the wp-config.php page and my site was back up.
However, there is still more to this story. I couldn’t log in via the wp-admin page since the admin password was in this new tables. I got really lucky since the email address set up was ’firstname.lastname@example.org’ and I was able to get the bounces, which allowed me to reset the password to get in a do some recon.
I wanted to mention the ‘ufgeai’ prefix because I didn’t find anything on Google referring to it, and something tells me that I am not the only one this has happened to.
Needless to say, I changed all my usernames and passwords to something cripplingly complex.
Then, when I was able to log in to the right instance of my wordpress, I was getting all sorts of errors from ‘wp-admin/includes/dashboard.php’ and had to comment out about 15 lines, all referring to sidebars and widgets. Later, I’ll have to fix all of this and read up, but I have to get ready for a birthday party.
Some notes or food for thought:
- I got really lucky my database and tables weren’t blown away. I am going to make backups pronto!
- First need to make sure there isn’t something that shouldn’t belong in the regular tables, like another admin account.
- How did this happen? Is there something wrong with the Dreamhost installation or I was a victim of a brute force attack? I thought my passwords were good.
- Why didn’t my previous, backed up installation not work?
- Why did I get so many errors with the dashboard.php file? Was that file supposed to be “upgraded” or was it something I installed or was part of a plugin?
I’m going to open a ticket with Dreamhost and give them some forensic evidence since I made backups of the changed files and added tables.
Hopefully, this will help someone and prevent a long history of blogs posts from being lost. If you find yourself in this situation and think the only solution is a new, clean, install, check your tables since your old/current data might still be there.