Early Sunday morning (my time) my web site (rowetel.com) was hacked and defaced. I found out from reading emails from about 5 people on my Monday morning – thanks guys. The hacking affected my index page, Free Telephony Project pages, and this blog.
At first I wondered if my domain had been hijacked. So I checked out the files on the hosted server. They were corrupted so that meant the actual server had been attacked, rather than my domain being hijacked. When I logged into the web site management pages for my hosted web site my passwords still worked. Hmmm, if I was a hacker that’s the first thing I would have changed. So maybe these people got in through some other part of the server, and not my account?
Next thing was I checked the hosting service site (smartyhost.com.au) and that page was blank. Also several pages linked from my web site management pages lead to the same defaced page. These management pages were generic to the hosting server, not part of my site. Hmmm, so it looks like the hosting server had been hacked.
So I went to work restoring the site. My static pages are all generated from text files that are processed by asciidoc. So I just did a touch *.txt, and “make” which rebuilt every page and uploaded it to the web server.
I keep regular backups of the other content (entire html directory include WordPress blog, images, downloads etc). These are sucked off the web site by a backup script onto my laptop and DVD backups. To get the blog up again I just copied all the WordPress files back onto the site. Fortunately the database hadn’t been touched (different account username/password). So I had the site back up in 45 minutes. I was pretty happy about that. Later in the day Smartyhost had all of the management pages running again so I did a mySQL database dump as an extra precaution.
I logged a support request with Smartyhost and they got back to me today:
“sysadmin has advised that there was a problem with the server [it appears due to a poorly coded script within one of the 1000+ hosting accounts on the server being exploited to gain illicit access to the server and deface a number of accounts].
This was identified early yesterday morning and the ‘hole’ plugged.
We have restored from backup all affected sites [although it sounds like you go there are did this yourself prior to our sysadmin doing so].”
Overall it was a reasonably gentle exercise is site restoration. It highlights that it’s a very good idea to keep backups and not store anything you can’t easily replace on a web server. Or any computer for that matter.