Always learning
This week’s learning: a hacked web site. There’s been a lot of that going around. Writing has taken a back seat to fixing the problem.
It took a while to grok how deeply StorageMojo had been hacked.
First I got a note from my hosting company – something about a daemon – and I told them to take it down. Which they did.
Thought I was done.
But I wasn’t
Then Gary at Nexsan noted that StorageMojo was alarming his browser. Went into the StorageMojo files on WordPress and discovered some iframes that I hadn’t put there.
Pulled them out. Upgraded to the latest version of WordPress.
Thought I was done.
Wrong again
Fired up the SFTP client and took a look at my web site files. Saw a bunch with names I didn’t recall, like Emma, Alexander and Jordan. Inside, links to hundreds of sites I’d never heard of either.
Got rid of them.
Checked a couple of other sites I host on the account. One had been completely cleaned out by the spamsters – the site was gone – replaced with more collections of links.
Edited the junk out of those sites. Hoped I was done, but decided to go through every single file and folder on all three sites.
Found the malicious code. Very professional. Replicated in several places. Language = ru, whatever that means.
Corrective action
New passwords, of course. Notices that the Dreamhost web management system doesn’t make that easy to do – password management is spread across several different tools – which guarantees that people won’t change them very often.
Read up on security. A couple of good sites are Blog Security and Stop Badware. Google also has a helpful checklist.
Did some other housecleaning and site hardening.
The StorageMojo take
I now know I will never be done. The rest of you with blogs should learn by my misadventure.
The biggest surprise is that there are many things that can be done to make sites harder, but they are not the defaults. You have to do some research and sometimes some configuration.
That is wrong. Other than general exhortations to update software, the hosting companies do almost nothing to make it easy to manage security. Not many consumers are going to dig into log files every couple of days.
I’m more technical than the average blog writer and some of this stuff is a PITA. The Internet Operating System needs some security patches.
Comments welcome, of course. AFAIK nothing bad got sent to readers of StorageMojo.
“Language=ru” mean Russian.
“Language = ru, whatever that means.”
As in RUssian.
IF this is dedicated hosting or something like a Xen VPS: I’d advise you to take it offline, power it off, do a clean operating system install on your host, restore from known-good backup, harden said known-good system and then take it online.
The reason is that if the hackers ended up injecting code into the kernel, your view of the system might well be governed by said code — their processes on the host may be hidden from view, providing a hidden, ready backdoor for them to come in again. In a nutshell, _you cannot trust the system_ unless you’ve rebuilt it with known-good components _from the bottom up_. And if you cannot trust what the system tells you, you cannot be certain that it’s clean or secure.
If it’s shared hosting, you generally don’t have control over the operating system — but shared hosts tend to harden their systems against this sort of thing anyway. The best you can do is to back up the _data_, remove everything, reinstall the CMS, vet the data and restore the databases and configuration for the CMS. That way you can be sure you haven’t missed anything.
There is a security test plugin for wordpress. A must have!
http://wordpress.org/extend/plugins/wp-security-scan/
Dreamhost has one redeeming feature, they let you spit up your websites by users. Make sure you have a different user for each domain you host and if one is hacked the others are secure. I’d be using media temple (they are much faster and more reliable) if they offered that.
Scary stuff! Bloggers have to be pretty vigilant these days. Thanks for the links.
~Margaret
Isn’t open source wonderful ??
Sorry to hear you’ve been hacked… but hacking popular web sites, open source forums, and blog software is a hobby for too many. In part, that’s why I took my site down. I didn’t have the time to keep up with the spamming and hacking.
This is good example of the problems with open source technology for business or professional purposes. “Its free isn’t it” , well — no, what’s is your time worth… There are very few companies, at least under $300/mo, that will ensure your web/blog/forum site will mitigate or correct hacking.
good luck
x
————————————————
“Too much monkey business”
-Chuck Berry
Open source isn’t the issue, per se, as all the commercial website applications have had (and will have) their fair share of exploits, too.
Inexpensive hosting does require the extra effort of “going it alone.” But, this is more an issue with trying to be your own webmaster than with the choice of platform.
Robin, I’m willing to bet you’re not done. Chances are that whomever hacked you probably didn’t do it because of your passwords, but more likely through some other vulnerability. If they got full access to your webhost (i.e., root) I’d recommend a complete reinstall, followed by patching every known vulnerability and then a good round of server hardening. Yes, it’s a lot of work. Yes, it’s unfortunate that you need to know all this stuff to be a webmaster. But, this is the path you have chosen.