As many of you know, I’m normally a huge fan of using WordPress (in both the hosted and self-hosted formats), but tonight I’m not feeling so generous…
- WordPress blogs can be hacked! (If you came here yesterday, then you know what I mean!)
- It’s open-source with no one to call when your site goes down, especially not on a Sunday night of a three-day weekend.
- Even if you do find someone who could help, they will likely blame your problems on lax security (and they’re probably right)
- After hours of backing up, reinstalling, and general complaining, you may not know what security lapse you made (i.e. they could be back tomorrow!)
- Should your site ever get hacked, expect that it will occur while you’re on a two-day rafting trip on the beautiful Kern River!
- Moving photos and other files between servers and hard-drives (while trying to move fast and keep an organized filing structure) is a pain.
- Your site might turn out to spend a day displaying anti-Semitic remarks (OUCH!).
- Despite the “1-step” updates advertised by the WP crew, updating a WP blog is a pain and no fun, but obviously important, and will never be forgotten again!
- There are some groups you just don’t want to be associated with.
- BTW, if something looks fishy on the site, please let me know. I’ve deleted and reinstalled every file I could find and I’m sure I missed a few details! (The sidepanel on the wiki comes to mind, but I’ll have to wait until another day to fix that issue!)
Thanks to everyone who sent me a note alerting me to the hack! It’s awesome to find out just how many people are looking out for RCG! π
I’ve upgraded. Thanks for the reminder! π
You might consider Joomla, http://www.joomla.org/ I use it on most of my sites. It’s secure, open source, has a very active community behind it and hasn’t had any major hacks against it (that I can remember ).
I’d be interested to hear, perhaps by email, what got hit and how. Glad you were able to recover, in any case.
Dustin,
Great recovery… That’ll teach you to go on vacation π
Keep up the good work!
I would recommend you read WordPress Security Tips and Pitfalls before you go on your next vacation. π
Don’t feel too bad though, hacked servers happen to the best of us, and the only thing you can really do is learn how to prevent it in the future and how to quickly recover from them. Perhaps, we as RCG administrators and contributors, need to use stronger passwords for everything? I suspect that’s how the attacker got control of RCG was he exploited a weak password somewhere.
Although, this unfortunate episode reminded me I needed to add Michael Howard’s blog (Software Security Guy at Microsoft) to my RSS reader. I gotta stay current w/ whats hip & happening with the BlackHat crowd.
Pingback: A note from the Swan of Avon about Rain City Guide . . . | BloodhoundBlog | The weblog of BloodhoundRealty.com in Phoenix, Arizona
Welcome back. Sorry that you had to deal with those hackers.
I’d also like to know exactly what happened, in an effort to protect myself and others. Please feel free to email me or post it here! Thanks.
All,
I’d love to tell you how they got in and exploited my site, but I simply don’t know. My guess is either
1) They found a weak password as Robbie suggest or
2) I mis-configured the permissions on my server.
I suspect the second issue because a number of WP plugins require that the web admin set folder settings so that the plugin can “write” to the server. I’ve tried to be as conservative as possible when changing these settings because I’ve always thought that it was a bad practice for me to allow my server to write over files when I’m not sure what is “safe” and what is “dumb”. Anyway, at this point, I’ve changed all the permissions so that the server cannot write (overwrite!) files, but that means that I don’t have easy plugins for things like backing up the database and updating the .htaccess file. Such is life until I start feeling adventurous again.
From appearances (I didn’t test exhaustively), it seemed that everything at the root level for the domain had been erased and you (or they) had set the default 404 behavior to index.php. Is that correct?
No, I don’t think they erased anything… My first step was to over-write the index.php file, but that did nothing. They were clearly messing with something on a deeper level and my guess goes back to the .htaccess file, which I think (but I really don’t know) would cause the behavior you described. I’ve noticed that the .htaccess file has a ton of power. And seeing as how this file allows the the server to write the “human readable URLs” on the fly, I’m pretty sure it could be configured to do the redirection that was going on. If anyone thinks I’m full of it and spreading bad information, please feel free to step in! π
I changed my password, for what it’s worth. I suggest everyone do the same.
How are you doing “..require that the web admin set folder settings so that the plugin can βwrite
Patrick,
I forgot what I ended up with, but I definitely didn’t have any 777s. I remember going through a few iterations to find the minimum that I had to leave open for individual files and still have the plugins work, so I did set things up so that the server could write stuff. Hence, my guess that someone figured out a way to use one of the programs I had installed to trick the server into writing the junk.
Based on the fact that almost no files were added/deleted to the server (that I can tell), it doesn’t look like the hacker got around to doing very much damage.
BTW, I tried looking through some access logs, but I didn’t find anything interesting there… (not that I know exactly what I should be looking for… π )
Wish I could be more helpful. On my planet, index.php is called default.aspx and .htaccess/chmod is replaced by cacls.exe and mad asp.net/ISAPI skills…
Dustin,
Check for wget in your logs, for starters. Or a lot of stuff that looks like %0A , etc. Also you might consider turning off allow_furl_open in your php.ini (allowing a url to be included/opened like a file).
Glad to see you’re up and running again, guys.
This is a great lesson to anyone running WP – I’m going to have to go through all my permissions and double check them.
Hello Dustin
I’ve got to say that your list of 10 reasons is really off the ark big time, but it’s your take on things.
I am curious however what platform you recommend using as a CMS system if it’s not WordPress.
I look forward to your reply.
After briefly reading through the responses, has anyone given the timthumb security hole any attention? The wordpress core is pretty secure – however plugins and their respective developers are often the culprit.
If you had an outdated version of any timthumb script used in any of your plugins (active or otherwise), they could have slingshot any file / code they wanted onto your server through the bug in the script (which has been updated now). The bug allowed for a string search to be fooled when verifying source security on the image urls before cropping.
If you update your plugins consistently and only install them from trusted developers who wouldn’t leave something like that in a plugin, then you should be good to go.
– John
I think you are confusing open source and free software (community software). Open Source means only that the source code is open and you can look into it (and theoretically edit it). It says nothing about the support of the software.
There are plenty of examples of open source that is payware – ExpressionEngine as a CMS is powered by EllisLab and you can very well order support from them. Or even MongoDB is free, but from 10gen and you can still get expert support (if you pay for it).
Hi Sven: Don’t think I confused those two things at all…. and agree with you that the “source” says nothing about the “support” one will get from the software. Also, it’s worth noting that this post was written in 2006 and the support options from the wordpress community over the past 6 years has grown tremendously!