Comments for lauralemay :: blog

Comment on hacked, the followup by laura

laura — Tue, 21 Feb 2012 18:56:16 +0000

@Ben: I apologize for not approving your comment earlier, I lost track of my moderation queue. FWIW I found that changing to .htaccess in any way made no difference at all because so many other files in WordPress were compromised that anything I did would get rewritten. You need a new wordpress install.

@Dmitry, FPMurphy: I am indeed on Dreamhost, but I have heard from a LOT of people who have this same breakin who are on other hosting providers. The problem is definitely in WordPress. The issue with Dreamhost specifically is that they give you easy access to a WordPress installation but then zero guidance at all toward securing it, or any sort of hint that the wordpress install you have might be compromised. I like Dreamhost a lot but I think they could do a lot better than “here is this inherently insecure software, and you’re on your own.”

Comment on hacked, the followup by FPMurphy

FPMurphy — Tue, 21 Feb 2012 18:45:08 +0000

I also am on Dreamhost so I suspect the common denominator is Dreamhost. Either of you hosted on the Dreamhost rogue server?

Comment on hacked! by FPMurphy

FPMurphy — Tue, 21 Feb 2012 14:21:55 +0000

Are you hosted on Dreamhost?

Comment on hacked, the followup by Ben Phelps

Ben Phelps — Sun, 12 Feb 2012 21:49:12 +0000

I know this isn’t the subject of your blog, but thank you so much for posting this. I am dealing with this same malicious hack for a client right now. Mine was advertising for Cialis, but still. So frustrating. It turns out wordpress is actually a goldmine of vulnerability for hackers, because so many people use it, many with limited web security experience. I’m definitely learning a lot myself.

One thing I was wondering to stop this besides chmoding the .htaccess file, is to put a new rule in the htaccess file itself denying access to the common.php file. Of course you have to do this in conjunction with reducing access to the htaccess file. There is really no reason for anyone to have write access to this file in wordpress other then the system administrator that I am aware of. If I’m wrong about this, please correct me.

order allow,deny
deny from all

Comment on hacked, the followup by Dmitry Brant

Dmitry Brant — Fri, 27 Jan 2012 16:50:11 +0000

Laura,
The same thing is happening to me now, as we speak. The attacks are even coming from the same IP address you pasted above! The only difference is that I don’t have timthumb anywhere in my site(s), so they must have used a different vector for inserting the malicious PHP code. The hacker actually managed to plant a PHP shell script (boff) deep inside my theme directories. Who knows what else they did after that.

One thing I noticed is that we’re both hosted by DreamHost. I remember they recently sent out an email stating that some of our FTP accounts have been compromised. I wonder if this has anything to do with that. (I changed my FTP password immediately, but it was still plenty of time for someone to plant a malicious script). Part of me also thinks that the DreamHost server itself might be infected with something.

I think I’ve scrubbed all the badness from my PHP and .htaccess files… we’ll see what else the hackers have up their sleeve.

Comment on The Curious Incident of the Chickens In the Night-Time by epc

epc — Fri, 20 Jan 2012 02:04:07 +0000

I wonder what changed, you’d had chickens for a couple of years before this happened, right? Like, did they wake up one day and realize they could climb the fence, or did one of their other sources of food disappear?

Could you put barbed wire on the top of the fence, facing outward on an angle like you see at prisons?

Comment on hacked! by Matt Andrews

Matt Andrews — Thu, 19 Jan 2012 00:16:42 +0000

This exact same thing has been happening to me the past few weeks. I’ve tried everything. My webhost ran a scan and found a suspicious PHP file which I removed. I deleted all WordPress installs and even databases from the server. Nuked any files with 777 permissions. Deleted the common.php file. It keeps coming back. Despairing! I just tried setting .htaccess to 444 and will see if that does anything. Makes me feel slightly better than it’s not just me, though…

Comment on hacked, the followup by Luke Seemann

Luke Seemann — Sun, 15 Jan 2012 19:43:57 +0000

Thanks for the info on this. I suffered the same attack a few days later, starting on Jan. 7, with the same “payday” and “personal creations” SEO and everything. Your wrap-up has been very helpful in eradicating it (knock on wood).

Comment on hacked, the followup by Anton Rang

Anton Rang — Mon, 09 Jan 2012 19:00:45 +0000

Remotely executable code is always problematic (risky), but I think it’s fairly reasonable to run a webserver which does not run *any* dynamic code. Since your static web sites weren’t supposed to have any PHP, it’d be reasonable to disable PHP etc. on them. If the web server itself could then be fairly secure (honestly, I haven’t looked recently to see if anyone has tried to build a secure web server in the style of the secure FTP servers that are available, where the goal is to audit the code and take advantage of reduced privilege as much as possible). Actually, just running the web server as a user who doesn’t have access to write to anything except its own log files should help quite a bit.

Doesn’t help for dynamic code like WordPress, of course. I’d be tempted to suggest that the generated site be served as above, with the WordPress code running on a separate web server which is not normally accessible from the outside world — for instance, on a port which is only listening to local connections, and use an SSH tunnel to reach it. That helps if the dynamic code is only on *generation* and not on *retrieval*, i.e. with something like the “really static” plug-in.

Anyway … glad you recovered from this, and thanks for posting about it! I don’t think there’s been enough mainstream attention to this type of vulnerability.

Comment on hacked! by Matt Rose

Matt Rose — Thu, 05 Jan 2012 01:45:14 +0000

Also, get rid of wordpress. It’s secure for a few days, until somebody finds a way to hack it, then you have to upgrade it. Seriously, google wordpress 0day exploit. For my blog I use tumblr, but a static site generator like blosxom might be good too.

Also, Enno probably has the right idea. At least get Eric to look it over

Comment on hacked! by Enno Rehling

Enno Rehling — Tue, 03 Jan 2012 05:51:36 +0000

Having been similarly hacked before myself, I would recommend re-imaging the entire machine. You cannot trust any part of it. I thought I was clever and got it removed, but the truth was I still did not know enough about how it had nested inside my system in the first place and how deeply rooted it was, and in the end, I ended up on every blacklist on the internet for being a spam hoster because I was too lazy to nuke everything including the OS from orbit. It really *is* the only way to be sure.

Comment on The 2012 Resolution Short List by Luis Oliveira

Luis Oliveira — Mon, 02 Jan 2012 23:37:48 +0000

I’m glad that you’ve mentioned the chicken coop, cause it’s taking more than a year and it’s a surprisingly entertaining story. Come, get it up and get new chicken to fill it up already.

Comment on The 2012 Resolution Short List by doppelfish

doppelfish — Mon, 02 Jan 2012 20:10:55 +0000

Ah, "Resolution". I misread that as "Revoultion". For the pullups issue, be free to contact Krista.

Comment on Housekeeping by doppelfish

doppelfish — Thu, 15 Dec 2011 19:36:36 +0000

Well, you could go make this blog software work and then write blog posts. ;)

Comment on How to Convert an Old Shed to a Chicken Coop in 45,732 Easy Steps (Part Four) by Adam

Adam — Tue, 13 Dec 2011 00:18:26 +0000

Great story, I was on the edge of my seat! Seriously, very interesting to read. You could/(should?) have put some diagonal bracing on the framing, Laura, tut, tut. The wall sheeting should brace it all when you get it up, but, really, you should think about bracing it all.

But a fine job! You should be proud!