iZachy

So far, the last few days have been really crappy. First, the medical bill came in for my 14-month old daughter's 30-minute surgery. It was over $10,000. The HMO will pay a good part of it, but the amount I owe will still be staggering. Kinda puts a damper on Christmas and Thanksgiving (yes, I am thankful my daughter is OK now).

The second reason why things are crappy is because Akismet does not appear to be working on my blogs. Every few minutes, I get an email to approve a comment that has about 100 links in it. This has been going for a few days now. And it is getting reaaaaallllly ANNOYING.

Then there's my daddy blog, which was hacked early Saturday morning. Somehow, a hacker was able to insert a script and a bunch of links above the WordPress template's code. The hacked stuff loads before <!DOCTYPE html section of each web page. I downloaded my templates and I didn't see any modifications to my templates. I deactivated all the plugins and selected the default WordPress theme. It didn't make a difference. I upgraded to WordPress 2.0.5 from 2.0.4 and the hack is still there. I couldn't figure out how to resolve the problem so I submitted a ticket to my web host. Seven and a half hours later, they reply with something like, "We don't support third party applications and perhaps your password has been compromised."

That was really helpful. It's possible my password was compromised, but I didn't see any tampering of any of my files. I really don't understand how the hacker was able to insert the extra code before the html header. Makes me wonder if the web host has some sort of WordPress related virus that was doing it. I created a non-WordPress page and it loaded without any additional code. So, the problem is WordPress related.

The next thing I did was uninstall WordPress. I didn't want to do this, but I didn't see how I had any choice (my content was not viewable). So, after uninstalling, I reinstalled the latest version. Then I restored the database from back-up. Guess what? I got the exact same result with the default theme. I didn't upload my plugins so the only ones enabled were the ones that came with WordPress (Akismet and Database Backup).

At this point, I was wondering if the hack occurred in the database. To test this, I restore the database to another site with a different web host (#2). This time, the hack was gone. The database was fine. Since my blog was now working correctly, I had web host #2 change the domain name to daddyforever.com and then I change the entries for the name servers to point to web host #2. The dns propagation could take up to 48 hours, but I saw the change in less than 24 hours. But it wasn't what I was expecting. I could no longer connect to my site at web host #1 or #2. I didn't want to be Chicken Little, so I waited several hours before asking web host #2 to recheck their work. Sure enough, they discovered they made a mistake in the dns setup on their end.

My daddy blog is now back online after two days. I still have no idea how the hack occurred. The morale of the post? Back-up often.

This entry was posted on Monday, November 20th, 2006 at 3:44 pm and is filed under WordPress. You can leave a response, or trackback from your own site.