Posted on

What I Did After My Blog Got Hacked

the hacker
Back in January 2010, my blog got hacked. You can read about it in a post called h-a-ck-e-d and hacking begginers. Had that hacking experience not happened, I would still be evading or postponing much needed anti-hacking security measures, the way I evaded anything that, though important, entails a lot of work. Hmmm, this reminds me of some other matters that I have put off for a long time, like CPA, listbuilding, and other undertakings which may prove to be profittable. This post itself is long overdue, as some blogger friends had long invited me to guest blog about my hacking experience and what I did about it. Procrastination. Yeah, i even procrastinated about the need to overcome my procrastination.

Post Hacking Damage Control

First off, “I told you so”. I had browsed through a lot of blog security articles before but never really took them seriously. I thought I was an exception to the rule and my blog wouldn’t be hacked. After all, who would be interested to hack a blog that doesn’t have that much following? So, after finding out about the hacking, I had to wallow in the proverbial “I should have…” moment.

After a speechless minute, I proceeded to contact my webhost. Following protocol, they have suspended access to the login page to prevent further damage. I contacted my host and I was given back access to my site.

The first thing I did was to search for that hideous page that replaced my original main page. It was an index.html file that usurped my index.php page. On refreshing, the original main page flashed back to life and I realized how beautiful it was. Then, I had to browse through each file and folder in my account to restore proper permissions. Following the rule of 755 for folders and 644 for files, this exercise took me a painful couple of days to restore just the file/folder permissions structure of the main domain site. I have yet to check the files and folders of the subdomains and add-on domains under it.

I thought that was it. For a few days, the blog continued on its merry way, only to be totally suspended again after the webhost received feedback that my blog has been tagged as a phising site. This time, the blog and all my other add-on sites, both earning and non-earning, took unwanted vacations for a little over a week. My webhost did their own scans and found a script which had been planted in an interior folder (in the default theme folder! How clever!). The script was the culprit for the phising activites. It has something to do with trying to fool email recipients into revealing their paypal data, using my domain as the source of the scamming stupidities. The webhost renamed the file to stop it from executing itself but left it up to me to delete it. Thus, I promptly deleted it and its zipped version. Imagine someone using a sledgehammer to smash a trapped mosquito. That’s how I felt back then.

Whew! Finally it’s over! In its 8 days of non-operation, I only lost the opportunity to earn a little less than a thousand dollars, ok, kidding, actually just a few measly dollars (as my websites are relatively new and not earning much yet). I can only imagine how much the more established webmasters would have lost in the same period.

Wait! A week later, I received an email from my host that I have exceeded the email sending limit. What? At first, I thought it was my test self-hosted autoresponder that’s probably gone bonkers, but after deactivating it, the sending limit warnings kept on coming. After another combing through, Lunarpages pointed out an experimental email sender file I had installed a long time ago. The hacker, it turns out, had exploited and continued using it to send emails pretending to be sent from a Canadian bank. So, without hesitation, to the trash bin it went.

Defense Installations

My primary suspect that breached my security was a keylogger that got through due to my earlier hacker-friendly online lifestyle. Thus, I made sure this time that my internet security application imposed stricter measures against probable illegal incursions. In fact, I have really become paranoid enough to the extent of always having my task manager in view so that I could monitor every cpu usage spike and see who’s causing it. I also intended to buy a full version of BitDefendfer Internet Security but put it on hold again after finding out that the bug that caused some firefox plugins to not work has still not been resolved by Bitdefender.

I also installed the free version of Zone Alarm. It does get to be annoying sometimes with its popups but it makes you feel secure and protected at the same time.

I was advised about using Login Lockup to protect my login page. As with all plugins, I tested it first on a localhost server test site. It didn’t work as expected, and instead messed up my test site making it inaccessible anymore. Needless to say, I did not proceed with the Login Lockup plugin installation on my blog. Too bad, it would have been one good ‘first line of defense’ for my blog.

While in the past, I used to wait for months before I update wordpress to its newest version I now procrastinate only for a week or two (because I research first for reports about the new version’s bugs and discrepancies) before updating.

Whereas I used to be click-happy when it comes to links in my emails, I am more cautious this time. I have stopped my practice of satisfying my curiousity for each email that comes my way (even from the spam folder). Instead I hit the delete button more often now.

Additional Defense

Just recently, upon the ‘heads up’ of Sire of wassupblog I found a working alternative to Login Lockup. The ‘Limit Login Attempts’ plugin worked when I tested it. Another plugin passed my testing too – the ‘WordPress Firewall’ plugin. Proof that both plugins are working are the multiple emails I receive everyday about attack attempts being made on my blog e.g. ‘directory traversal attacks’*, etc. Now, I shiver at the thought of all the still unprotected wordpress blogs out there without these 2 plugins.

how to fend off hacking attacks

Summary

To sum it up, I believe the following are the basic things one should do in the event of a hacking situation.

1 – Contact your webhost immediately and pray that they are as helpful as Lunarpages, or better.
2 – Ask your webhost for help in scanning your whole website to locate malicious scripts hidden within your directories.
3 – Once you regain access to your site, change passwords. Use stronger passwords this time.
4 – Check the dashboard and make sure that the (User) owner’s email is still your email address reflected in there.
5 – If you are still using ‘admin’ as your username in wordpress, change it to something else.
6 – Check your directory structure. Follow the permissions rule about folders and files.
7 – Check your domain’s email account (the one you configured to be your email; e.g. james@watchamacallitx.com). If it has lots of bounced emails, or sent emails that you didn’t send yourself, proceed to change your email password or completely delete that particular account and create a new one. Then check your directories for some possible mail sending script.
8 – Update your wordress version.
9 – Install ‘Limit Login Attempts‘ plugin.
10 – Install ‘WordPress Firewall‘ plugin.

I’m sure there must be some other things I should do to make my sites more hack-proof. So far, these are the things I’ve done. How about you? What measures have you taken to protect your sites? Or, are you going to wait, like me, until it happens to you? Remember, the attacks are not necessarily made by humans. Most are robot apps that were programmed to find and exploit weak points and doorways in anyone’s sites. Thus, it doesn’t choose; it just razes through all sites that are on its path.

*Directory Traversal: is exploiting weak or insufficient security validation or sanitization of user-supplied input file names, so that characters representing “traverse to parent directory” are passed through to the file APIs. (source: wiki)
UPDATE:

Latest WordPress Security Measures

Here’s a video I found just recently which prodded me to insert this update to this post.

IMPORTANT!

Watch the above video to know the importance of creating appropriate user accounts for your wordpress site. Using your admin account for every activity you do in the dashboard is risky.

The expert speaker, Dre, will tell you what to do on your server side and on your wordpress admin side to secure your site even more, and a lot more strongly suggested things you can do e.g. using stronger passwords and utilization of password managers, disabling some features in your wordpress dashboard, really important security plugins you must have in your arsenal, etc.

Post-hacking Fun Un-related Video

Posted on

Hacking Beginners



Hacking beginners are called the same way beginner programmers are called. Lamers. The hacker who messed up my site is, I believe, a member of this group. I can’t exactly tell why I dumped him in that poor level. Maybe I’m just pissed off or maybe I first sensed something so amateur about his clamor for attention.

Guys, I may not make sense at all in this post, but just let me be (and note that this is not a ‘hacking for beginners’ post). Give the poor chap who just got hacked some space and allow him to let out his anguish even just this one time. Like I’ve said in a previous post, I am entirely to blame for my website’s mishap at the hands of this online sissies. I’ve been a little too liberal on my surfing habits and have loosened my guard and thus have allowed some trojans or whatever hacking tool these thugs used to get my website data. The way I surf did not pose too much risks in the past because I have nothing to protect then except my email addresses and some forum accounts. When I acquired online real estate and other pertinent accounts, I should have changed accordingly and learned defensive surfing instead of going ahead with my careless maneouvers online.

After rectifying the initial hacking symptom, the main page, my other mistake was thinking that that was it. Turns out these hacking beginners are not that ‘beginner’ at all. They have somehow been able to inject some script file in my directory. And you know where they hid it? In an inner folder in the ‘classic’ theme folder. Clever, eh? Who would ever care to check there? (Obviously only those careful, non-stupid webmasters 😉 ). And so, when it was left there to breed, it produced another file that now probably sends emails to their list telling them about their paypal accounts needing some re-confirmation or something to that effect, with the intention of catching the data of the poor souls who are not clever enough to know the difference between a legit paypal site and the stinking hacker’s paypal site. This is just conjecture on my part as I have no evidence that the script is actually doing this, though that was what the folks at lunarpages are implying. The script could have either served as their backdoor entry point, or had been left there to run on automation (maybe creating new files) because even after I changed all passwords and usernames, the symptoms did not stop. Another point that tells me these are not hacking beginners is their intent to steal paypal information from unsuspecting people. Whether in the real world or in the world of ones and zeros, these are plain thieves.

I would like to rant on about my hatred for this low-lifes and waste more of your time but no amount of ranting can stop them I suppose. I believe in karma and I’m sure these thugs are going to get their due some time. Ugh, in a past life, I might have been a hacker and now am getting my just recompense for the inconveniences I have incurred on hapless folks. Wait, in a past life? Oh well, I’ve probably hacked into the ENIAC and caused mathematicians some confusion by returning wrong square roots. But that was ‘ethical hacking’. They were using the ENIAC to automate the firing of ballistic missiles.

Once I got back access to my cpanel (courtesy of the support guys at lunarpages, who took my site offline before it could do more damage), I immediately looked into the dirty files and deleted them. I also scanned through each file in all folders in the whole directory checking out modified dates that looked odd and promptly checking them out and deleting them when found to be indeed odd. These look easy on print, but I tell you, it took a lot of patience and googling and evaluating and sleeplessness to work it out. I tell you guys, ‘an ounce of prevention is worth more than a pound of cure’ took on 3D life before me. And I don’t need lasik for hindsight because I now know I got 20/20. Being hacked makes you learn a lot of things really quickly. I learned about permissions: what 0755, 0777, and 0600 means, and the usual rule of thumb among developers to go 755/644 on folders/files structures. I also learned to contain my anger a little bit.

So, why do I call them ‘hacking beginners’? Oh, again, let me be. They’re amazingly good at their chosen paths. But, just let me call them whatever I like. I’m the victim here, remember? Hacking beginners, you! Lamers.