I've been hacked.

[Andy]

Just playing around on my blog with polling, etc. only to find out someone hacked in on 3-10-2010. As far as I can tell, no real damage was done but someone set up an admin account and injected java code into most of my files.

The bad news is, this blog is the latest edition of wordpress so the security whole must either be new or on I missed before. I'm not sure if this is one I "hardened" or not, but it will be soon!

The good news is I had a backup copy stored on my computer so I should be able to get things back in short order. In case you are wondering how I can tell if the hacker's files are gone - I'll look for any files modified on the above date.

I really do hate script kiddies. I'm thinking of furthering my education with a security+ certification. The certs are a royal pain but I'm getting tired of patching holes. Any input on this?

Andy

[Clinton]

Sorry to hear that Andy.

The advantage of a popular CMS is that there are a lot of add-ons. But if you want security, like with Apple computers and the Opera browser, the less popular choices are the ones that are less targeted.

Glad to know you've cleaned up ok. But do remember to change the passwords once you're done

<added> It may be worth downloading the whole "corrupted" copy of the site and doing a search for the script. It's not always only the open-to-public htm files that are affected.

[Andy]

Sorry to hear that Andy.

The advantage of a popular CMS is that there are a lot of add-ons. But if you want security, like with Apple computers and the Opera browser, the less popular choices are the ones that are less targeted.

Glad to know you've cleaned up ok. But do remember to change the passwords once you're done

<added> It may be worth downloading the whole "corrupted" copy of the site and doing a search for the script. It's not always only the open-to-public htm files that are affected.

Hi Clinton,

Thanks for the input. Too late to analyze the blog - I've wiped it out already. You are so right about popular cms scripts, but the fact is I've had stuff hacked that hardly anyone knew about. My favorite example is a business directory script. I think the programmer was Russian and very anal about security - so much so he ended up installing the script for me - something that rarely happens. And yet, despite all the security and obscurity, the site was hammered.

From the looks of things, this script kiddie was hunting for php files because those were the only ones affected, even though I had quite a few folders "modified" - folders like image folders. I'm certain these weren't actually messed with so how the folder was modified, I don't know.

All that said - word press is probably THE most targeted cms due to it's popularity and the open sourceness of the code.

Oh well, got to mend some fences.

Andy

[Andy]

Talked to security at the hosting company whose first thought is someone got my password via a Trojan. While this is possible it's not likely because this is the only account that was hit.

I'll change my important passwords anyway just as a precaution. These should be changed from time to time anyway.

Now about my blog - here are some other considerations:

I overwrote MOST of the corrupted files simply by installing a clean copy of WP but this isn't the end of it. In the "downloads" folder there was a suspicious file. There may be more.

Plus, I had to replace or delete all my plugins and themes. This is an area that can leave you wide open because a new install of WP does not overwrite things you added on.

Thought you'd like to know.

Andy

[Clinton]

Yeah, that why I suggested downloading the whole folder and running a search for the script.

Thanks for the update. It's a real nuisance having to start from scratch. I've got hundreds of WP blogs, I feel your pain!

[Andy]

Now that it finally dawned on me that files added after an install are not overwritten. This can be good and bad of course. Since the bad ones have not been overwritten, I can still do what you suggested and I likely will.

I'd hate to think of checking hundreds of wp blogs but I'm willing to wager that unless you're VERY security conscious, you've got some hacked blogs.

At this point I"m almost ready to learn how the script kiddies do it so I can reverse engineer their methods. I'm sure they don't spend hours injecting their garbage into each blog so there must be a way to turn their tools against them.

Andy

[Alastair]

Andy

And others. This may prove an interesting read. http://owasptop10.googlecode.com/fil...20-%202010.pdf

[Clinton]

Thanks, Alastair, interesting stuff though a bit heavy reading, I just skimmed through it but it's scary. They've listed just the top 10 vulnerabilities in this pdf but there are lots more. #1 and #2 are injection and cross site scripting which both seem to have held their rank for the last several years.

What's even more scary is a new phishing scam I read about today. I'm always wary of potential phishing, but I could see even myself falling for this one (and may have already been a victim). It works like this. You visit a site and keep the tab open. Then you move to another tab. The site at first tab notices that it isn't active any more and changes the content of the page. It could change the page to mimic Paypal and even change the favicon in the address bar! You return to the page and log in thinking you were the one who opened that Paypal or Gmail or Hotmail tab. The site captures your login details and passes you to Paypal/Gmail or wherever. You don't even realise you've just given someone your log in details.

See how it works here (safe link).