Hacked: Lessons Learned and Relearned

Hacked!A couple of weeks ago while I was on vacation my WordPress site was hacked. It started first with a weird email from Wordfence trying to tell me something but it was so garbled I knew either it was in serious need of an update or something worse had happened. When I got to my site, I found something worse had happened. What was weird was I could only see the hack on one device. So when I contacted my hosting provider, they of course said it was my PC (I was on an iPad).  The reason for contacting them was early evidence seemed to point to something hacking into my site from the host. This would mean the host server was hacked. As I didn’t have my laptop with me with my usual tools to look at things securely (such as turning off all JavaScript and Flash in the browser so I could minimize the chances of compromising my laptop. My wife had her work laptop but I was not going to compromise it. So I just decided to leave my site down. This is not something a commercial site could do. Imagine the sales Amazon would lose if it were down for an hour. But my site isn’t an e-commerce site. Instead it is just a blog.

The early answers from my provider were I should scan my PC to make sure it isn’t affected. Agreed, always a good measure. I run antivirus that is pretty highly respected and a malware prevention program but as we all know, the vulnerabilities they don’t know about they can’t protect you from and even then they are not foolproof. I knew the hack was on the site and not my PC. I had logged in local and looked at the code and there it was “Hacked By Explo!T3r”.  Don’t do a Google Search for that as you will be surprised how many sites have been hacked by the same or similar group and are still hacked and un-repaired and may not even know, but Google knows. Okay, search but don’t visit their sites just in case. And the worse part about it was it was all tangled up the cache so I would have to make sure to wipe my cache once I cleared up the mess. I backed up my site as it was so that I could download it and do a file by file comparison with a previous backup to see what was changed or infected. Additionally I scanned it with both antivirus and malware scanners to see if there was something evidently evil about it. Nothing found.

A senior engineer at my hosting provider asked me when was my site working. I hadn’t logged in in over a week so I told him when I was last on the site. And they said they would restore a backup for me from that time period. Now, I wasn’t aware they were backing up things also. I know I have to run manual backups and I download them to a cloud provider so I have “off site” backups so to speak. I know I could automate this process and I have in the past but the free plugins that do backups have some limitations and being that my site isn’t for commercial gain, I have to keep things low to no budget. Plus that is in keeping with my open source spirit. So when I finally got back from vacation I looked and my site was really down now. Database Connection error. I guess their backup didn’t massage my database before backing up. So I knew what I had to do.

First I checked the modified date on all files on my site and decided I would wipe the site and roll in the last manual backup I ran. When did I run this backup? The end of June. I have violated my very own rule. Backup and backup often. Also backup before going forward. So I lost all of my July posts, which was a shame as they were really good and have brought a lot of traffic to my site.  Don’t worry my “Social Media for Small Business” series will return and soon have some additional entries.

So after restoring my site to the June backup and changing my passwords to the most complicated passwords I have ever used the site is back up and running. I looked through the code and the hack modified entries in my database so either they compromised MySQL for my site, did a SQL Injection hack, used an account with author privs that had a less than awesome password, or even an exploit of one of the recent vulnerabilities that were fixed by the latest update to WordPress 4.2.3

Here are some lessons learned:

1. Backup and backup often (I failed my own rules here).

2. Update often. (I didn’t have any pending updates of plugins or WordPress so I was technically as good as I could get).

3. Complex passwords. I use complex passwords but I had an account that did not. Wordfence offers a scanner that checks password complexity.

4. Compare backups. There is a lot to learn by comparing files from one backup to a newer one. What has changed since the last backup?

5. Verify your .htaccess files are set correctly.

6. This one will be controversial. Country blocking. Wordfence (paid version) has an option to block by country. I had turned this off because my site seemed slow and I was looking to see if my .htaccess file had become unruly with too many entries. However if you have a topic on your blog that might be controversial (my entries about my Faith), then you know you may offend someone. While I want my site open for everyone, there are some countries where the majority of hackers come from so blocking their countries (determined by IP address ranges and domain suffixes) will save you some headaches.

Look at my WordPress Security Essentials to see the things I do and should have done to protect my site. In this case, do as I suggest, not as I do.

The Tech Side of Me Tech News 4/25/2015

This is the start of something new. This idea has been going around in my head for weeks and the idea was to feature my favorite articles I tweeted this week along with some commentary about each one. This may go through some changes but as this is Week 1, let’s get started.

Currently I use Hootsuite to schedule and post my Tweets, Google+ Posts, and Facebook. So from that I get an idea of how many people click on my links. It doesn’t tell me who (that would be scary) but it does tell me how many. So using the unscientific approach of number of clicks shows how popular a tweet was, I will definitely feature those, but sometimes a tweet a topic I hold near and dear fails to get traction either because of the time of day it is posted or some other factor. I will feature those as well.

Have an Android Phone? Want to Find it? Google it

From the Creepy but Cool files, if you enable Google location services on your phone, finding your phone could be as easy as going to Google.com and just typing in “Find My Phone”. It will ask you to log into your Google account (use the primary Gmail account you use on your phone), and then show you on Google Maps the approximate location of your phone. If it is accessible it will also give you an option to ring your phone.

Verizon says “unlimited Data Plans are stupid”

Verizon basically said we are idiots to want unlimited data plans. I know everything has to have a limit so to speak but first selling us unlimited plans and then calling a 2 gig plan unlimited is false advertising. But are we silly to want what we want? We don’t really want unlimited. Instead, we want to pay one price and use it as much as we want and not have to pay ridicules overages. For some of us, unlimited is 2 gig, others it is 6 gig, etc. Granted, we know if someone is using 10 gig plus, well, maybe they should pay more but the system as it is punishes even the least data users. What do you think?

Sysadmins every where Scream at Once

This week two scary security alerts went out. For Windows admins with Internet facing Internet Information Server instances, there was the “HTTP Ping of Death”. Basically a header problem that when attacked would cause a “DOS” Denial of Service issue. Basically the server would hang or even blue screen so that the server wasn’t responding or available. Hopefully everyone is all patched up by now. Hopefully.This was my most clicked tweet of the week.

In other Security news…

Popular eCommerce application Magento finally have an exploit in the wild for a security issue they published about in February. This is a bad one and you need to get patching quickly as exploits are in the wild and thousands of servers were attacked.

Who wants to live forever… Digitally anyway?

So if you should die tomorrow (hopefully you won’t) but if you did, who would you want to have access to your Digital assets? Who would have access to your Facebook, Gmail, Twitter, YouTube Channel, your iTunes account? If you don’t give someone access to these things, the courts may not help. There isn’t much legal precedent for what to do with these elements of a human life. In fact, iTunes as it is currently setup basically belongs only to the person who originally purchased it. So you go and so would your tunes. So if you give access to someone you trust to your digital elements, you allow your digital elements to keep going. Google offers a way to designate someone your Digital Heir. In my case, I designated my wife. This article talks about how laws have not kept up and you really can’t even “Will” your Digital assets to a loved one. But some social media accounts give you a way to allow your designated person to access your accounts.

Jedi Marriage

This is my favorite story of the week: Jedi’s can now get married. (Dang I hate typos! It’s Official.)

A little boy sends a letter to George Lucas asking why Jedis can’t get married. The reply is awesome and a win for Jedis every where. I am so glad. I married my wife in secret because she is a Jedi. Now we can be public about it.

And those are my favorite stories of the week. I hope you enjoyed them.