So, Dreamhost offered a ‘one-click’ upgrade to WordPress 2.5. I hadn’t had problems with it before so last night I did the “one-click” upgrade. I went to bed.

This morning, I find a bunch of undeliverable emails in my inbox and notice that the from/return address is “email@gmail.com.” And the main page of my blog is a link to a comment on geni.com offering to sell viagra and it was the default WordPress theme with the “Hello, World!” post.

My questions, which I’ll ask Dreamhost about, are:

1. Was the upgrade botched?
2. Was my installation hacked?
3. My “old” site (dreamhost will attempt to back up your old installation so you could revert back) didn’t work as many of the files were missing.

At this point, I had one of those “oh shit” moments were I’m thinking whatever happened, my database is gone and I don’t have a recent backup.

In my wordpress installation directory, all my files and plugins appear to be there and my wp-config file looks okay…

Then I find it. There is a different prefix on my mysql tables:

$table_prefix = ‘wp_ufgeai_’;

Sure enough, in addition to MY tables in MY database I see the “new” tables.

I had already dumped my other tables and saw they were still there, so I simply removed the ‘ufgeai_’ from the wp-config.php page and my site was back up.

However, there is still more to this story. I couldn’t log in via the wp-admin page since the admin password was in this new tables. I got really lucky since the email address set up was ’email@gmail.com’ and I was able to get the bounces, which allowed me to reset the password to get in a do some recon.

I wanted to mention the ‘ufgeai’ prefix because I didn’t find anything on Google referring to it, and something tells me that I am not the only one this has happened to.

Needless to say, I changed all my usernames and passwords to something cripplingly complex.

Then, when I was able to log in to the right instance of my wordpress, I was getting all sorts of errors from ‘wp-admin/includes/dashboard.php’ and had to comment out about 15 lines, all referring to sidebars and widgets. Later, I’ll have to fix all of this and read up, but I have to get ready for a birthday party.

Some notes or food for thought:

• I got really lucky my database and tables weren’t blown away. I am going to make backups pronto!
  • First need to make sure there isn’t something that shouldn’t belong in the regular tables, like another admin account.
• How did this happen? Is there something wrong with the Dreamhost installation or I was a victim of a brute force attack? I thought my passwords were good.
• Why didn’t my previous, backed up installation not work?
• Why did I get so many errors with the dashboard.php file? Was that file supposed to be “upgraded” or was it something I installed or was part of a plugin?

I’m going to open a ticket with Dreamhost and give them some forensic evidence since I made backups of the changed files and added tables.

Hopefully, this will help someone and prevent a long history of blogs posts from being lost. If you find yourself in this situation and think the only solution is a new, clean, install, check your tables since your old/current data might still be there.