So, the Dakota Frost site got hacked. May still be hacked, for all I know, because I just found and eliminated only one error, and I still haven’t found out how they got in. Of course, I changed all my passwords everywhere else first before logging into the site, confirming no-one had hacked the user accounts, and then downloading all the code for some forensics.
But what was peculiar was that, even though I could clearly see evidence of hackery thanks to the very nice, publicly available Webmaster tools at the Google, I could not see any difference between the live site and my previous backup except for the addition of the Akismet spam filter, which I’m pretty sure I did myself.
Then I found it, when I detected a strange file named kgcakmhg.php. Tracing it back, in the root of the HTML directory, someone had modified files back in February – first to point the .htaccess to a strange file named baccus-contextually.php, which called the weirdly named file and also relied on changes to the style directory. No changes to the blog code were necessary – everything was being rewritten before it got there.
Removing those files? Easy. Site’s back to normal … I guess. Closing the open barn door? Uh …harder. Since I don’t know which door they came through.
Off to do more debugging …
-the Centaur
