Site hacked
Posted by Pierre Igot in: BloggingMay 12th, 2008 • 8:39 pm
I am afraid it looks like there have been repeated attempts to hack Betalogue in recent weeks. I actually now believe that the weird admin user reset problem I described a couple of months ago was the first manifestation of the hacking attempts.
Since then, in addition to repeat occurrences of the admin user reset, I have experienced a range of other issues with my web site, all of which have been invisible to Betalogue readers as far as I can tell. I won’t describe them in full detail here. I am sure that the issues are due to hackers, however, because of the appearance of files in my WordPress directory that I never installed there myself, which clearly bear the mark of either human or automatic hacking. (The Russian credits leave little to the imagination.)
I don’t quite know how “they” were able to go as far as to modify files and add new files, and why they didn’t use this ability to inflict greater and more visible damage. Apparently, based on my research, the problem had to do with something called “SQL injection”—although I have yet to find a page that clearly describes this as a known vulnerability in my version of WordPress, with exploits causing the symptoms that I have been experiencing, and with a clear requirement to upgrade to a newer version. (These search results certainly seem to indicate that it is a recurrent problem with WordPress.)
Still, I have taken a range of measures which I hope will eliminate the problem.
I have changed all the passwords involved (FTP/SSH password, WordPress password, MySQL password). I have removed the files that did not belong and replaced existing files that appeared to have been edited with the original local copies. And most important, I have upgraded to the latest version of WordPress.
I somewhat naively assumed that I was using a “stable” version of WordPress (1.5.1.3, I think) and did not feel the urgent need to keep up-to-date with the latest versions of the blogging software. But I now realize more clearly that server-based software follows rules that are quite different from desktop software, in that security issues are much more crucial and you cannot count on older versions of the software staying immune forever, quite the contrary.
As with other types of software, new versions come with new features, but also with bug fixes and security fixes that are not necessarily implemented in older versions. Since server-based software is permanently “exposed,” however, this means that existing vulnerabilities in older versions will be exploited sooner or later, and so, if you want to remain up-to-date in terms of security, you simply have to upgrade the software.
Fortunately, upgrading WordPress from 1.5.x to the latest version was quite painless. I have probably lost a few minor customizations along the way, but nothing vital, and I will work to restore those, if necessary or desirable, over the coming weeks.
My priority right now, however, is to determine whether the upgrade does eliminate the vulnerability. I won’t know for sure right away, because the hacking attempts, as far as I can tell, have been episodic, with weeks passing without incident. It just so happens that there was another one today and that I actually noticed problems while it was happening. (At least, that’s what I believe.)
As an additional precaution, I have closed new user registrations for now. This means that only existing users can post comments on blog posts. If new users want to comment at this point, they’ll have to write to me. I’ll decide later on if I want to take a chance and reopen user registration.
It’s rather sad that this type of problem exists in the first place. Based on the fact that the hacking attempts did not actually damage the site and only left anonymous code in places on my server, I tend to think that this was the work of some kind of automatic bot scanning the web for exposed vulnerabilities, and not the work of an actual, malicious hacker. (I don’t think it was the work of a “friendly” hacker trying to warn me about existing vulnerabilities on my site either!)
But it is still profoundly annoying and disturbing, especially in light of the fact that I hardly write about highly controversial issues or have a high-profile blog—although one never knows. It’s a crazy world out there.
I also sincerely hope that this hacking has not exposed any user-related data. I have no way of knowing for sure. I obviously want to apologize for any inconvenience that this hacking may have caused for registered Betalogue users. I realize that, by registering on Betalogue, you entrusted me with some private information and that, by failing to sufficiently protect my site from potential security risks, I may have exposed some of this information. Like I said, I may have been a bit naive about the reliability of the WordPress software that I was using, and this incident certainly has been a lesson for me. (If you are concerned about the on-going privacy of your login information, you might want to use your profile page to change your password.)
If all these measures fail to remedy the situation and Betalogue continues to experience hacking attempts, I will obviously have to take things to the next level, either with my host or with WordPress developers. I will certainly keep you posted if there are any new developments. If you notice anything on Betalogue that does not seem right, please do not hesitate to contact me privately using the link in the side bar.
May 12th, 2008 at May 12, 08 | 9:49 pm
Thanks for the heads up, Pierre. I guess the passwords were not encrypted; so I’ve changed mine.
I’m beginning to think that the internet’s days are numbered, at least as an open medium.
May 12th, 2008 at May 12, 08 | 10:29 pm
Maybe it is not a coincidence that about a couple of months ago I recieved an email from Russia asking for money to support a single mother with a poor daughter… My English is not perfect, but I could tell that it was written by someone who knew the language pretty well. The text was written, and systematic errors were introduced into it to make it appear more «realistic.»
Luckily, it happened only once, and I added that address to my rule in Mail : «Direct à la corbeille» (Directly to trash).
Let’s hope this won’t happen again. Good luck with the new measures, Pierre !
May 13th, 2008 at May 13, 08 | 8:08 am
Warren: Actually, now that you mention it, the passwords are encrypted (using MD5). So I guess they must be safe, even if the hackers did get access to my MySQL tables (which I am not sure they did). (I don’t know exactly how MD5 works and how difficult it is to decrypt such encrypted passwords.)
sol: Part of the clues that I was being hacked yesterday was a short flurry of new user registrations with .ru e-mail addresses. I have been getting such user registrations regularly for a long time (I usually delete a new user if his/her registration is not quickly followed by a first blog comment), but I never associated it with hacking attempts. Yesterday, however, the two definitely occurred at the same time, which makes me think that they are linked.
Unfortunately, lots of on-line hacking and spamming takes place through Russian servers. That does not mean that all Russians are bad, of course :). But it does seem that Russia has become something of a haven for on-line “terrorists.”
May 13th, 2008 at May 13, 08 | 8:42 am
Pierre : The email I recieved was also an .ru address. I visited the site, which I suspect is a free email service similar to Hotmail. If you know enough Russian (I don’t), you could in theory obtain such an address without ever setting foot in Russia. The hackers are probably from Russia, but not nessarily.
As you mentionned, not all Russians are bad, and some Canadian, American and European hackers do as much harm as Russian hackers.
May 14th, 2008 at May 14, 08 | 4:24 pm
This is getting way off-topic.
Yes, you can sign up for free accounts on Russian servers. I recently obtained mail.ru and tut.by (Belarus) email accounts — with the aid of a Belarusian friend who did the sign-ups for me, as the interfaces are naturally entirely in Russian. Both are POP accounts, but I have found it possible, if a bit chancy, to navigate the webmail interfaces by guesswork.
Why? To find out why emails sent to me from Eastern Europe often don’t reach me via my American ISP-provided mail server and/or to provide a more viable alternative.
So far, these services have been fine, no problem — less than with my name-brand ISP mail.
May 14th, 2008 at May 14, 08 | 4:43 pm
I have absolutely no doubt that there are lots of legitimate Internet services in Russia working very well. But the reality appears to be that Russian servers are also used to host a wide range of spamming and hacking programs. Maybe certain laws are not as strictly enforced over there or are not as strict to begin with. There must be a reason.
And I also suspect this is partly why legitimate correspondence from Russia is not getting to you. Due to the abundance of spam coming from Russia, overzealous spam filters probably also block an abnormally large proportion of legitimate e-mail messages.