Thread:Project:Support desk/Admin user is hijacked, what to do?/reply (4)

Hi Kyle!

Reverting to a backup really is the recommended procedure in this case.

If you really want to clean the wiki up, you can do the following: Use the maintenance script createAndPromote.php from the shell to create yourself a new admin user. With this user block the hijacked account and take his rights away. Then revert all the spam inside the wiki; this might be a hugh task depending on "how hacked" your wiki is. Remove all files, which might have been uploaded and check the MediaWiki source code on your server; these files may have been manipulated as well. And do not forget to check extensions; they might also be affected.

Check the server logs to see which URLs have been accessed during the hack. Information by mod_security (if active) might help as well.

Finally you have to close the hole, through which the attacker came in. This can basically be anything: An insecure web application (maybe not even MediaWiki, but possibly something completely different), maybe an outdated extension, maybe a vulnerability in MediaWiki or in PHP or in MySQL or in the operating system....... Anyway: The hole must be fixed; otherwise you will soon be hacked again.