Menu

Monthly updates

Want to unsubscribe? Click here

5 things I learned from a Hacker attack

By Christian Grobmeier

On Friday evening I got an e-mail from my provider. They told me my webspace was subject of a hackers attack and they would shut it down until they have analysed its root cause. There was no more information and the only thing I could do was to wait. Fortunately they wrote me back on Saturday morning with some explaination and tipps how to clean my websites up.

Here is what I have learned from the past night and from the attack of some script kids. And on a side note, I really dislike these idiots who were browsing the internet and go on everybody else nerves!

1. Update!

Yes, it’s my fault. I have made a quick sample installation of WordPress for a potential customer. The customer did not want it and forgot about it. The current WordPress version is 3.4.1 and my server had 3.1.4 installed. I have heard the WordPress developers are quick with security fixes, but if you don’t update your installation it’s your fault.

2. Delete what you don’t need. Now.

As mentioned, I didn’t need the WordPress instance but was to lazy to delete it right now and later forget about it. I will not do this mistake again. If I don’t need it, I will delete it instantly. To my defense, I have a pretty bad internet connection and uploading does take me ages. This is why I have become lazy. But of course I could have moved it into an invisible folder. In addition, these web sites are not my main business. Therefore I have bought a standard hosting package and thought i could trust that nobody would find my old files. Of course this was idiotic to think, i know it and knew it.

3. Check what happens

When I got the e-mail the script kiddies were already acting a while. I was unaware they did weird stuff. If I would have known, I would have avoided the outage: I could disable all my websites, look for the root cause and fix the system before my provider takes me off for 12 hours. Therefore I decided to check more regularly whats going on. The following script helps me:

find -newermt yesterday -ls | mail -s "Changed Files Report" mail@example.com

This will run as a cronjob. It will mail me the files which changed yesterday. This way I can double check about the changes and have a higher chance to act quickly (and hopefully quicker than my provider).

4. Go static

Before a while I played with Jekyll. It’s a nice Ruby-Tool which lets you generate static HTML pages, similar to Mavens Site. It is great, because it supports templates, Markdown and many more stuff which helps to use “dynamic power” to generate static pages. The projects I have started with it are not ready yet, but the Dartlang.org homepage is build with Jekyll itself. You can read on Seth Ladds blog how it works.

What i have learned of yesterday was that I will replace all dynamic webpages (mostly on WordPress) with static HTML pages generated by Jekyll, when I am not urgently needing some of the dynamic power. Be honest, in some cases we need PHP just as some kind of templating mechanism. You can do templating with Jekyll. Even standard blogs can be done perfectly with it. In addition you can commit the whole Jekyll project to GIT and the project layout is very easy to understand. In my case, I have various webpages in mind which will now turn to Jekyll-pages. And yes, I will take the performance bonus as well as the fact that HTML pages are not so easily opening security wholes to script kids.

UPDATE: My colleg Torsten Curdt recommended me awestruct for static site generation. Looks promising!

5. Read exploit sites

The idiots who thought it would be a good idea to break into my webspace and put links up for their trivial websites copied a PHP script to my webserver which gave them some a lot of information on my environment, like writable folders and such. The funny thing is, the script was GPLed and they stayed conform to the licensing conditions. In the header was the original source of the script which is exploit-db dot com. On this page are tons of exploits collected. Script Kids can download it from there and attack you. The website says, it’s intention is to give people like us the chance to protect our work against hackers. I am not sure how many of us do read such pages compared to script kids. But well, from now on I will look at that site from time to time and check if the software I use is vulnerable to a a specific exploit which has not been fixed yet.


Follow me on Twitter :-)

  • http://travisred.com Travis

    Nice little command for checking the modified files.

    Also, many people don’t realize how easily most sites can be created with static HTML. It’s cool that there are popular tools to do it now. My blog is static, generated by a python script and markdown (much like Jekyll). Just as easy as using a CMS, but much faster load times.

  • http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/ Web developer

    “find -newermt yesterday -ls” is a good idea, but the date and time can be changed using the same channel that the hacker uploads the malicious file.

    This technique compares a hash of all the files and you can exclude certain files http://www.webdigi.co.uk/blog/2009/how-to-detect-if-your-webserver-is-hacked-and-get-alerted/

  • http://my.opera.com/devloop/blog/ dv

    And 6 : Use an antivirus even under Linux.

    I run a SSH honeypot (Kippo) and around 90% of the scripts uploaded by intruders are known tools and detected by ClamAV or AVG Free for Linux.

    I also recommend Maldet for such attacks :
    http://www.rfxn.com/projects/linux-malware-detect/

  • Kuro

    Damn, my WP website was defaced 2 days ago :( … Luckily someone spotted it and told me, I noticed the processes were killing the CPU so I rebooted the server and deleted the hacked account, luckily I had recent backups for everything in that website.

    It was an indonesian defacer, who uses scripts created by the Dark-Devilz crew. I found this indonesian guy got a 4shared account full of infected files, cracks for games and exploits. Shamefully I don’t have enough time to hunt him down though..

    By the way, my installations were all updated, the only thing I noticed was the php configuration had the allow_url_fopen on, maybe it had something to do with it.. Or maybe it was a directory with full writing permissions, I’m still trying to figure out where did he break in…

  • http://twitter.com/phL0w hacklschorsch

    No need to give up your known development environment: WordPress can be used to export the site to static HTML.

    The canonical method is spidering the page (e.g. http://www.suodatin.com/fathom/How-to-retire-a-wordpress-blog-%28make-wordpress-a-static-site%29). There are also Plugins for WP that help exporting the whole blog as static HTML. And finally it looks like there’s a “supercache” option built into WP that can be used to create static HTML files. You then only need to block access to your WP authering environment, possibly by using .htaccess or so. http://stackoverflow.com/questions/2631176/wordpress-to-static-html-solution