This site was hacked by Dr.SHA6H

This site was hacked on 28th November 2012 by someone leaving the signature ”Dr.SHA6H”.

The first sign of the hack is that the site no longer shows anything else but the following text:

hacked by hacker

This happended to many, if not all WordPress sites on the same hosting service this site is using and by googling around, it appears that thousands of WP sites have been hacked in similar way and made nonfunctional.

This site also became totally useless, and in fact was very difficult to recover as the worst damage was done to the MySQL database in nasty ways.

Here are things the hacker did:

  1. changed the username and password of the Administaror account, so the admin can no longer log in. You need to go to phpMyAdmin and manually get you your Admin account back to the database.
  2. .htaccess emptied, removing all security from that
  3. changed index.php to contain ”hacked by hacker
  4. changed the WordPress Site title to: +ADw-/title+AD4-HackeD By Dr.SHA6H +AHw Fuck All Site+ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-
  5. Added a nasty text widget to sidebar, which will show the text ”HackeD By Dr.SHA6H | Fuck All Site”, even if you otherwise clean your WP install but leave your database, that ”HackeD By Dr.SHA6H | Fuck All Site” will be the only thing rendered by WP on any page not matter what the theme is. Quite clever.
  6. The final nail to coffin: changed encoding for pages and feeds to UTF-7, it should be UTF-8. This is hard to detect, and unless you notice it, WP renders corrupted pages and you cannot in practice make any new posts.
I have now wiped the WP installation clean and started that from scratch. All plugins are deleted, and many nice features I had on this blog are currently not working, until I can figure out what is safe to take back into use and what is not.
Unfortunately my latest database backup before the hacking was so old, that I could not use it any more. So that should teach me to make DB backup more often.
Fuck you Dr.SHA6H!