Exploit: “Hacked By Badi” – Explanation and Steps to Remove

After getting reports today about WordPress installs getting hacked on the server I did some investigating and found that this may be a server wide hacking, meaning potentially all WordPress installs may have been defaced on the server.

The exploit was mostly likely caused by a vulnerability in Apache having to due with symlinks.

If you were effected by this, I have wrote the following article to help you: http://vlexofree.com/wiki/Exploit:_Hacked_by_badi

I have also recompiled apache/php with a patch to prevent the exploit (although the patch may cause issues of its own) and globally changed everyone’s “wp-conf.php” to “600” permissions.

The exploit did not compromise your overall WordPress install or your passwords. The only changes made by the exploit are to the wordpress database in the following locations: the wordpress title, charset, and widgets. It only takes a few steps to fix, but it is a bit annoying to have to do it.