5 things I learned from a Hacker attack
Here is what I have learned from the past night and from the attack of some script kids. And on a side note, I really dislike these idiots who were browsing the Internet and go on everybody else nerves!
1. Update!
Yes, it’s my fault. I have made a quick sample installation of WordPress for a potential customer. The customer did not want it and forgot about it. The current WordPress version is 3.4.1 and my server had 3.1.4 installed. I have heard the WordPress developers are quick with security fixes, but if you don’t update your installation it’s your fault.
2. Delete what you don’t need. Now.
As mentioned, I didn’t need the WordPress instance but was to lazy to delete it right now and later forget about it. I will not do this mistake again. If I don’t need it, I will delete it instantly. To my defence, I have a pretty bad Internet connection and uploading does take me ages. This is why I have become lazy. But of course I could have moved it into an invisible folder. In addition, these web sites are not my main business. Therefore I have bought a standard hosting package and thought i could trust that nobody would find my old files. Of course this was idiotic to think, i know it and knew it.
3. Check what happens
When I got the e-mail the script kiddies were already acting a while. I was unaware they did weird stuff. If I would have known, I would have avoided the outage: I could disable all my websites, look for the root cause and fix the system before my provider takes me off for 12 hours. Therefore I decided to check more regularly whats going on. The following script helps me:
find -newermt yesterday -ls | mail -s 'Changed Files Report' mail@example.com
This will run as a cronjob. It will mail me the files which changed yesterday. This way I can double check about the changes and have a higher chance to act quickly (and hopefully quicker than my provider).
4. Go static
Before a while I played with Jekyll. It’s a nice Ruby-Tool which lets you generate static HTML pages, similar to Mavens Site. It is great, because it supports templates, Markdown and many more stuff which helps to use “dynamic power” to generate static pages. The projects I have started with it are not ready yet, but the Dartlang.org homepage is build with Jekyll itself. You can read on Seth Ladds blog how it works.
What i have learned of yesterday was that I will replace all dynamic web pages (mostly on WordPress) with static HTML pages generated by Jekyll, when I am not urgently needing some of the dynamic power. Be honest, in some cases we need PHP just as some kind of templating mechanism. You can do templating with Jekyll. Even standard blogs can be done perfectly with it. In addition you can commit the whole Jekyll project to GIT and the project layout is very easy to understand. In my case, I have various webpages in mind which will now turn to Jekyll-pages. And yes, I will take the performance bonus as well as the fact that HTML pages are not so easily opening security wholes to script kids.
UPDATE: My colleg Torsten Curdt recommended me awestruct for static site generation. Looks promising!
5. Read exploit sites
The idiots who thought it would be a good idea to break into my webspace and put links up for their trivial websites copied a PHP script to my web server which gave them some a lot of information on my environment, like writable folders and such. The funny thing is, the script was GPLed and they stayed conform to the licensing conditions. In the header was the original source of the script which is exploit-db dot com. On this page are tons of exploits collected. Script Kids can download it from there and attack you. The website says, it’s intention is to give people like us the chance to protect our work against hackers. I am not sure how many of us do read such pages compared to script kids. But well, from now on I will look at that site from time to time and check if the software I use is vulnerable to a a specific exploit which has not been fixed yet.
Reference: 5 things I learned from a Hacker attack from our JCG partner Christian Grobmeier at the PHP und Java Entwickler blog.