Lesson Learned – Don’t Leave Things Laying Around

So you want to have your own website and play around with different tools and technologies? Great, just don’t leave a project sitting too long, bad things happen.

Case in point, over on the Child Abuse Survivor site, I had created a sub-domain with it’s own WordPress Multi-User install (back when that was a separate version of WP), running Buddypress to act as a sort of community site. Over time the site saw some traffic, but eventually the community involvement started to fall off, around about the same time that I was changing jobs and moving,  so I really sort of stopped dedicating a bunch of time to it. Oh I left the community up, in case anyone wanted to continue to use it and communicate with each other, but I stopped checking in regularly.

That also means I stopped updating the WordPress install. A big no-no.

Sure enough, late last week, I noticed an issue with the RSS feeds on the main blog getting malformed text and becoming invalid. I didn’t see anything wrong on that WordPress install, but somehow the feeds weren’t publishing properly. A quick re-install of WP in place corrected the feeds issue, but I made a note to keep a closer eye on the feeds.

Sure enough, Monday evening, I saw the same problem with the feeds again. This time I decided this wasn’t a random occurrence, something was wrong. So I dug in to the site and the WordPress database to see if I could see what was causing this. As I dug around I came across a strange class.php file that had been dropped into the wp-content folder, and an .htaccess file that hadn’t been at that level of the install before, pointing to a random numeric php document in another folder, on the community site. Further digging led me to discover Google search results, mostly for pharmaceuticals, pointing to oddly named pages on my site.

Now my blog’s WordPress install was up to date, and there wasn’t any SQL injection into the database, but as I rolled over to the community WordPress install, boy what a mess. There were a number of malicious PHP files over there, and some SQL injected into the database. Since I haven’t updated that install in months, I assume it was compromised thanks to a known exploit that has since been fixed.

After nuking the community site completely, database included, and then cleaning the handful of PHP files running all over the rest of the site’s directories, it seems to be clean again, though Google hasn’t re-indexed things just yet so I’m still getting interesting search queries to say the least. (Sigh)

Those are two nights of my life I’m never getting back, thanks to leaving an old WP install laying around unused. Trust me, it’s not worth it.

Tags: ,