Several blogs on our lot was target of defacements earlier this morning. Two were Connie’s food blog, one of Chin Wong along with two others. It’s always a dreaded thought that one of your sites or even servers getting hacked by some punk from Russia (or where ever).
I first got notice of the series of defacements last night while updating of our blogs on that server. Only one page was defaced and that’s the readme.html of the stock WordPress installation file. It was obvious how it was done because the file has write permissions for basically anyone to tamper with (chmod+666). Deleting the file and checking permissions of other files and folders was the logical move to fix that. And I thought that was all of it.
Or so I thought. Early this morning, we got calls that there were other defacement on the same server — 4 more blogs running on WordPress and Expression Engine. I really thought the entire server was compromised so we had to spend the entire day checking practically hundreds of other sites on that same rig. Though we’re still not 100% sure exactly how all these happened at the same time but evidence of cross-site scripting and improper folder permissions were the primary reasons.
How to prevent this in the future:
- Check your blog/sites for improper file/folder permissions. The plugins folder or the themes folder of your WordPress account is the more common entry-point.
- Check registration access levels – leave them at Subscriber level if possible.
- Always check for newer updates. EE had a vulnerability report posted last January so if you’re not aware of them, do regularly check your blogging software provider for updates, patches and other fixes.
- Always have a local copy of your DB and your files. For WP, there’s a DB Backup plugin for this and always have your existing themes in your PC. Will be helpfull when the time comes.
I’m sure we’d get some heat from this but battling hackers, spammers, and phishers is no easy task and a continuous effort. We get literally dozens of brute force attacks everyday and all we can do is be alert as ever. Any provider saying they’re 100% hack-proof is only asking to be targetted by more attacks.
All we can do is learn from this incident, be more carefull and move on.
naku.. kinda techie ito..
my blog is in your hands abe.. hehehe
uy panu pala mag install ng latest version ng wordpress? thanks!
im a bit afraid mag install ng kung ano ano sa blog ko baka biglang mag loko ang blog ko. ehehe
Found 3 more defaced sites today, all of them have 777 folder permissions.
a cpanel security flaw?
3 extra folders were uploaded to Pinoycook.net (running on WP), each containing an index.html file with the blah blah info of the asshole.
In the case of pinoyfoodtalk.net, running on Expression Engine, six folders with .htaccess files were uploaded and the index.php file on the main path was overwritten. It couldn’t have been done through the EE admin panel because you can’t touch the index.php file from there. Has to be via FTP or the Cpanel.