WordPress Blog hacked, All admin username changed to “CIHAN” and Emails deleted

I felt embarrassed when I found my WordPress blog was hacked. Here is what happened. It was on August 26th, 2012 at around 10 PM IST, I tried to login to my wordpress blog and found that my WordPress Admin account was unable to login. After some investigations i found that the usernames, email address of the WordPress administrator accounts have been changed.

Usually I have two users as Administrators. I tried with both, but failed to login. I ran through some basic steps/tests with the assumption that I would have lost the password, which I ended up as password lose was not the reason.

Sequence of the steps I followed:

1. First I tried to reset my password with my email id: result: WordPress gave a message that my Email id is not valid. And for other admin email I did not receive any password reset mail.
2. Since my email Id was stated as invalid. I suspected a Hack and logged into Hosting cPanel.
3. Opened phpMyAdmin and shocked to see that my username and email were changed. I found both the usernames were changed to “cihan”, the email address was deleted for one user. but the other email remained same.
4. I updated the DB and reset my password using WordPress. Still I am unable to receive mail to my Yahoo account because of some problem with my hosting account.

My Observations:
1. I have logged into my account and updated a comment on 8th August 2012 for the last time.
2. I have a plugin which send a email on every 404 error page to the Administrator email address (the email which was deleted in the Hack). The last email which was send to the Admin mail id is on 10th August 2012 – The day after 10th should be the ideal hack time.
3. WordPress does not allow any user to edit/delete username from its control panel, so this is either updated directly in the Database or it should be done through a Script from the web page – But I do not find any scripts or files updated in these days.
4. I changed my hosting accounts password and other details just few days back to the Hack suspect date. I updated the password from my laptop, which is very personal. There was no body using my Lap and my password is brand new which nobody could easily guess, I did not login in any other public machines. so I don’t think this to be hack based on Password Theft of cPanel.
5. I do not find any other changes in the settings or passwords or data loss in my website/Account/cPanel.
6. I do not find any moto of data stealing.

Atlast I backup all my data from the webserver to my local and put the site into maintenance, Sent a detailed mail to my service provider. Few days back I received a mail stating that they do not find anything suspicious in logs but they insisted to changed My custom wordpress Theme as they suspected it. Later i updated removed all my custome stuffs from the site and updated the site completely. I lost few contents from my site at the time of migration and I’m working on it get them all back.

If some one out there faced the same kind attacj on your WordPress site please contact me.