Posted on Saturday, May 12th, 2012, at 6:30 pm
So, our account at our webhost provider was hacked. That was exciting. There was a vulnerability in the version of PHP that the site runs, which allowed a hacker to insert malicious code into certain files; the result of this was that whenever someone visited our site, they ended up downloading malicious code which could trash their computer. Jennifer’s installation of Norton Antivirus on her computer caught the code and warned her before she downloaded the site; my mom’s computer wasn’t so lucky. Of course, since I run Linux, I don’t run any anti-virus software and I had no idea our sites were infected.
I spent my breaks and lunch hour on Friday going in and removing the malicious code. But when I got back to my computer that night, the code had returned. In other words, the hacker had gotten back in and was re-inserting the code. I contacted our provider’s technical support line and asked for assistance. They went ahead and patched the CGI wrapper on our site (geekspeak for they updated our server), and this should have taken care of the issue.
It should have. Except it didn’t.
The malicious code returned. Again. I deleted it. Again. And again it showed up. And so on.
The ticket I had opened with our hosting provider was still open at this point, so I updated it with the ongoing situation, and when it wasn’t replied to within an hour I called the provider on their toll-free line. Apparently, the PHP vulnerability had hit them hard; they had three hundred tickets in their abuse queue, and only one person answering them. Fortunately my ticket was at the top of the queue, so they could address it quickly. The abuse team — the one guy — found a back door script on our site that was allowing the hacker to continue to gain access even though our version of PHP had been patched. He deleted it, but told me there was really no way to find all of the potential back doors.
We ended up deleting the entire site, and restoring it from a backup dated May 6. This ended up being not that big a deal; I had to re-update all of our WordPress installations and restore a couple of photos but that was about it.
Is there a lesson here for me? For you? For anyone? Probably not, except to make sure your installation of PHP is up to date and fully patched. But even then, new vulnerabilities crop up and exploits will appear within hours of the vulnerability being announced.
Have fun y’all.
Current Music: Soundtrack to "Where the Wild Things Are"
Leave a Reply