Did your self-hosted WordPress blog get hacked by Hacked By alsha67 + NeT-DeViL and is now loading an Osama Bin Laden web page?  I had 3 sites get hacked.  Took me 3 hours to find the problem, but I found it.  Here’s how it all went down.

Yesterday, May 3, 2011, I couldn’t log into one of my blogs.  I knew I had the username and password correct, because I have them saved in a file.  So I logged into cpanel and went into phpMyAdmin to check the wp_users table to look at the raw data.  My email address was replaced with fs8-@hotmail.com and the username was changed to Admin, something I never do on my blogs.  So I changed it all to something completely different.

Then I noticed on 2 more blogs that my username was changed to Admin.  However, the emails were still mine.  So I changed them, too.

Today I go to the sites and they are loading a cheezy Osama page with some catchy little rag-head song playing in the background.

I FTP’d to my site and checked the timestamps on the files.  Nothing changed.  I checked the .htaccess files for redirects.  Nothing.  Checked the DNS settings at my registrar.  They’re ok.  I checked all the posts and pages in the blog and there were all ok.  I noticed that if I accessed posts by their permalinks, then they loaded ok, but when I access my site by typing in my domain name or the domain name /index.php, that’s when I saw the Osama page.  Yet, the nothing was wrong with the index.php source code. 

I checked the Webalizer server log and found the culprit.  I had a few visits from Saudi Arabia:

77.31.34.63.dynamic.saudi.net.sa
94.98.76.29.dynamic.saudi.net.sa
94.98.137.253.dynamic.saudi.net.sa

I viewed the source code on the Osama page:

<meta name=”keywords” content=”Hacked By alsha67 + NeT-DeViL “>
<meta name=”description” content=”Hacked By alsha67 + NeT-DeViL “>

So I Googled:  Hacked By alsha67 + NeT-DeViL

And found that other sites were hacked, too, and displayed the same page mine was displaying.  However, there was one different page in the bunch and it displayed 2 email address for the hackers:

fs8-@hotmail.com
a55@hotmail.com

Ah HA!  fs8-@hotmail.com, the email addy I found on my WordPress user record.

So I did a database backup and downloaded the WordPress files to my hard drive and got to thinking, that’s not gonna do me any good because it will have the Osama site.  But my data looked ok, so I thought, I’ll just delete the blog, recreate it and import the database export and see what shakes out.  

I started going through the plan in my head and said to myself, “You’ll have upload the plugins and theme again.”  Lightbulb moment!  So I went to the Themes folder and that’s when I noticed the 5.3.2011 date on the /wp-content/themes/thethemefolder/index.php file.  I opened it up and BAMM!  Bob’s my uncle.  There it was.  The source code for the Osama page. 

Now here’s the deal.  If you don’t have a backup copy of your theme’s index.php file, you’re screwed.  I happen to build my own themes so I had the original file.  When I replaced the hacked file, everything worked ok.