Under attack

Posted by Pierre Igot in: Blogging
November 6th, 2008 • 8:07 pm

If you visited this site on the web in the past week or so, you will have noticed that things have not been quite right at Betalogue lately.

While the rest of the world was busy celebrating Barack Obama’s classy victory in the U.S. elections, I have actually been busy fighting repeated attacks from very persistent hackers.

This is not the first time that it has happened. You might remember that I was already hacked once back in May 2008, and then again in late September, which prompted me to turn off open user registration altogether.

I thought the open user registration feature was the most vulnerable aspect of my installation of WordPress, and it probably was and still is. But unfortunately it was not the only one, and the events of the past few days have forced me to do a lot more work on the web security side of things.

It really is not something that I enjoy, but it definitely looks like any site using a content management system (CMS) that has a certain level of exposure—my site is indexed daily by Google and receives lots of visits from people through Google search results—is a prime target for hackers.

I won’t go into all the details of what happened. It would simply take too much time. Suffice it to say that things got so bad that I had no choice but to delete everything and rebuild things very carefully, bit by bit, with several new safety precautions that are beyond what a regular WordPress installation normally involves.

While this was happening, I also posted a note on this site asking for help, and received a number of generous responses from people from Sweden to California, for which I am very grateful.

In the end, however, I ended up having to do most of the learning by myself and having to figure out myself what was going on and how the hackers were able to continue to breach my site’s security even when most of it was not supposed to be accessible to anyone.

At some point, I had an automatic redirection (via .htaccess) that rerouted all web page requests to the index.html page. I continued working behind the scenes without anyone else having access to anything in my web directory other than the index page. I changed all my passwords. I rebuilt the MySQL database used by WordPress from a backup and restored the required WordPress files from a plain vanilla installation of the latest version (2.6.3), still without anyone having any access to the files via the web.

And yet even then the hackers were able to continue to make their signature move, which was to keep changing the e-mail address of my WordPress admin user to their own e-mail address. (They used two different e-mail addresses, one from France and one from Italy, always the same ones.) They were not doing anything else to my files or data.

I suppose their idea was to somehow force me to contact them at this address that they were using, so that they would then attempt to blackmail me. I didn’t bite. I was determined to try and figure things out by myself or with the help of benevolent Betalogue readers—although at the same time I am currently in a very busy period with tons of work and very little time for such unplanned activities.

The fundamental problem was: How were they able to do this? How were they able to hack into my WordPress admin profile even though no files were accessible via the web, and even after I had changed all my passwords?

The fact that they were able to do this led me to think that, while the initial breach might have been caused by a vulnerability in WordPress, they now had means to hack into my stuff without relying on WordPress at all anymore. So I had to question all aspects of my installation and not just the WordPress stuff.

And so I proceeded to start again from scratch and eliminate even the last couple of things that I previously thought were safe and now started suspecting of not being as safe as was necessary to guard me against these very persistent hackers.

I started by switching my admin e-mail account for Betalogue in Mail from a plain vanilla POP account to a POP account only accessed with SSL protection. I know that regular e-mail transactions are somewhat unsafe, and since my web host does send some vital information (including passwords) by e-mail only, I had to make sure that no one could read the e-mails to that account while in transit.

For uploading files to my web directory, I have always used SFTP (i.e. FTP via SSH) in Interarchy, which presumably is safe and secure.

Then I proceeded to eliminate the other two things that I relied on to interact with my host’s servers and that I now suspected might be vulnerable.

The first one was the use of phpMyAdmin to access my MySQL database. I vaguely remembered reading a while ago that phpMyAdmin was not the most secure thing in the world, and I couldn’t help but notice that, while all the interactions with my web host’s control panel web pages were conducted securely with https addresses, the phpMyAdmin tool provided by my web host actually opened in a separate window with an URL without the security.

I don’t know what hackers are able to do while you interact with your web host’s SQL server on the web with phpMyAdmin without a secure connection, but I decided I could not take the chance. So I stopped using phpMyAdmin altogether and switched to using the command-line interface in Terminal via SSH. That forced me to learn more about the MySQL-related CLI commands, which are obviously not a very user-friendly bunch. But I basically learned what I needed to learn and was now able to do everything that I normally did with phpMyAdmin locally on my hard drive with a text editor (thank God for BBEdit!) and then with SSH and SFTP exclusively.

The other thing was that I was still using a few things in a password-protected folder inside my web directory (protected using .htaccess). After the attacks started, I started paying more attention to everything, for obvious reasons, and I soon noticed (when I changed the password) that Safari was warning me that the user name and password used to access the password-protected folder via the web would be sent “in the clear.”

Again, I don’t really know what is involved for a hacker in trying to capture these things that are sent “in the clear” while in transit, but obviously this particular hacker was very persistent and I could make no assumptions about what monitoring tools he was using to continue to be able to bypass my security features.

So I stopped using that password-protected folder altogether. The only reason that I was using it was that, several years ago, when I first switched to the provider that I am with now, they didn’t yet provide shell access via SSH for the particular plan that I had purchased. So I had a number of shell commands inside PHP files stored inside that password-protected folder, which I could then execute via the web.

But now I had shell access via SSH so I no longer needed this password-protected directory, even though using bookmarks to PHP files was obviously more convenient than having to type the commands manually in the shell. But again, I could not take any chances.

I also added a number of security measures involving WordPress and MySQL that are recommended on various web sites.

I rebuilt things piece by piece, each time waiting for a bit to see if the hacker would manage to breach things again. (At some point earlier this week, it only took them a few hours to crack the security measures that I was taking.)

The site is live again as of this morning. So far I don’t see any sign that they have been able to crack my site again. My WordPress admin user profile is intact, and the rest of the site appears to be working fine.

Am I 100% sure that I have succeeded in protecting my site against this particular hacker? Of course not. But if they crack it again, then I will really not know what else to do. I will also have to seriously consider giving up on it altogether, because I simply do not have that much time to devote to what is essentially a labour of love. (Betalogue obviously does not generate any income for me.)

I guess we will see.

If you are a registered Betalogue user and are concerned about what might happen to your user profile on Betalogue, I cannot be 100% sure that the hacker did not also access other user profiles. Since your profile includes your e-mail address, this is obviously a concern to me, because it means that the hacker might be able to use your e-mail address for spamming. I really do apologize for any inconvenience this may cause you.

I don’t think I have been careless with my Betalogue data. I never use easy-to-guess passwords for anything in my life. All my passwords are pretty much impossible to guess and are all stored in an encrypted database on my hard drive with a master password that absolutely no one else knows. This encrypted database is not available anywhere else and no one has access to it but me. If the hacker has been able to obtain any of my passwords—and at this point I am still not sure that he has—I can only guess that it was because he was very persistent and was able to monitor traffic on a systematic basis to try and take advantage of those potential vulnerabilities that I have described above.

I don’t know if that’s what he did or if it is even possible. But obviously he did find a way to breach my protections. Was he also able to see my users’ passwords in the database? They are “hashed” using something called MD-5. I don’t know if this is something reversible. I suppose nothing is impossible. So I would say that if the password you used for your user registration with Betalogue is the same as a password you use for something else that is important, you should probably change your password for that something else, just to be safe. And while you are at it, you might as well also change your password on Betalogue, although the only thing that a hacker can do with your Betalogue password is pretend that he is you and post comments in your name on the site—which, I stress, has yet to happen for anyone involved.

I am also not 100% sure that the new features I have added to my WordPress installation won’t make things a bit less intuitive for legitimate Betalogue users. I know of one thing that has changed, which is that if you use the “Login” link at the bottom of the side bar to log in, WordPress logs you in but takes you to a page that you are not allowed to access.

This is because WordPress has this stupid feature where using the login link takes you to the admin page, even if you are not an admin. Of course, you cannot do anything with that admin page, because you are not allowed, but it still is a stupid behaviour. Now, it just takes you to an error page. But the login does succeed and you are able to post comments after that, simply by returning to the original page. Presumably if you login while in the process of trying to write a comment, WordPress automatically redirects you to the post’s page with the comment form without going through this useless admin page.

Again, I do sincerely apologize for all this, and I want to sincerely thank all those who have communicated with me by e-mail to express their support or provide help and advice. I sincerely hope that this is the end of this particular episode, although I won’t be sure until several days or even weeks have passed without a recurrence of the hacker’s attacks.


Comments are closed.