May 312010

So, we got hacked. It’s going to take a while to figure out all the things that got messed with. But I’ve now changed the permissions on the files on the servers so that they won’t be overwritten again.

One of the problems that’s lingering is that the text in the post composition window is white. While this probably doesn’t sound so bad, it makes it tricky to enter anything – because the background is also white!

Ok, so now I’ve resolved the background issue.  Not quite sure what caused that.

Anyway, it would appear that there are a few major security flaws in Word Press:

  1. All the files for the site are in the document tree for the web site
  2. they get installed as writable by the owner by default – tricky not to be otherwise you can’t upgrade
  3. there’s apparently some script that can be hijacked to overwrite a whole bunch of crap, and add stuff.  I found:
    1. multiple modified index.php files, with javascript tacked on the end
    2. all .js files had extra javascript tacked on the end
    3. a backup file that’s not even in the document tree for WP!

So this brings up an interesting point:  it’s cool and easy to use a hyper popular third party tool for stuff, but somebody out there knows all the weaknesses of the system.  If you write your own custom software, you really need to stick out to make it worthwhile for somebody to hack your site.  I’m 99% certain that this was an automatic hack-job, not somebody specifically targeting me.  If I’d written my own blogging tool, it wouldn’t necessarily be as easy to use and as slick (hey, I only have so many hours in a day) but it would be much less likely to get hacked by an automatic script.

Homogeneity across systems is a recipe for vulnerability – once a vulnerability is uncovered in one system, all others are vulnerable.

 Posted by at 9:57 pm

  One Response to “We got hacked…”

  1. Wow. everything got hacked. I had a few joomla, drupal and django sites that I was playing around with. They were all hacked.

    I should also be careful about blaming WordPress for the vulnerability – it’s more likely a combination of WP and my network service provider’s automated setup scripts.