My Site Hacked and the Recovery

Early Sunday morning (my time) my web site (rowetel.com) was hacked and defaced. I found out from reading emails from about 5 people on my Monday morning – thanks guys. The hacking affected my index page, Free Telephony Project pages, and this blog.

At first I wondered if my domain had been hijacked. So I checked out the files on the hosted server. They were corrupted so that meant the actual server had been attacked, rather than my domain being hijacked. When I logged into the web site management pages for my hosted web site my passwords still worked. Hmmm, if I was a hacker that’s the first thing I would have changed. So maybe these people got in through some other part of the server, and not my account?

Next thing was I checked the hosting service site (smartyhost.com.au) and that page was blank. Also several pages linked from my web site management pages lead to the same defaced page. These management pages were generic to the hosting server, not part of my site. Hmmm, so it looks like the hosting server had been hacked.

So I went to work restoring the site. My static pages are all generated from text files that are processed by asciidoc. So I just did a touch *.txt, and “make” which rebuilt every page and uploaded it to the web server.

I keep regular backups of the other content (entire html directory include WordPress blog, images, downloads etc). These are sucked off the web site by a backup script onto my laptop and DVD backups. To get the blog up again I just copied all the WordPress files back onto the site. Fortunately the database hadn’t been touched (different account username/password). So I had the site back up in 45 minutes. I was pretty happy about that. Later in the day Smartyhost had all of the management pages running again so I did a mySQL database dump as an extra precaution.

I logged a support request with Smartyhost and they got back to me today:

“sysadmin has advised that there was a problem with the server [it appears due to a poorly coded script within one of the 1000+ hosting accounts on the server being exploited to gain illicit access to the server and deface a number of accounts].

This was identified early yesterday morning and the ‘hole’ plugged.

We have restored from backup all affected sites [although it sounds like you go there are did this yourself prior to our sysadmin doing so].”

Overall it was a reasonably gentle exercise is site restoration. It highlights that it’s a very good idea to keep backups and not store anything you can’t easily replace on a web server. Or any computer for that matter.

2 thoughts on “My Site Hacked and the Recovery”

  1. You should really change your webhost – even on shared hosting, it’s possible to isolate each user so that one user (account) getting hacked does not compromise other accounts, due to Apache sulogin etc. Dreamhost is one of many hosters that have this setup – they also enable Apache mod_security.

    WordPress and its plugins are a big source of security holes, so you also need to keep them updated, and maybe install one of the WP Firewall/IDS plugins to help protect against most obvious hacks.

    For backups, rsnapshot or similar are very good, they just require an SSH login that can run rsync – it can maintain multiple versions of your entire hosting account, unlike pure rsync, and is very efficient in bandwidth and scanning time.

  2. Some day I hope to convince you of the need to be vigilant and make constant updates to your software, although that doesn’t really apply in this case, it looks more like a problem of incompetence in a monoculture.

    It will probably take a few more incidents like this happening to you for you to become as paranoid as I am. Things like this: http://www.thestandard.com/news/2009/10/27/internet-phone-systems-become-fraudsters-tool are keeping me awake at night right now.

    I am impressed you had it all backed up, however!

Comments are closed.