«
»

Being Hacked: Part I & II – You have been hacked

%A %B %e%q, %Y

This is the beginning of a story, based on real events. Due its extension, I decided to divide it in small digestible parts. I hope what I wrote down here could be useful for many WordPress users, and eventhe  hackers will have a little fun with his exploits.

Compared with many Web veterans, my early times building sites and blogging has been very recent. My first sites were about 2005 (using a personal server) but I took the matter seriously in 2008 renting space on a host. In the country I’m living, the Internet connection was close to be a luxury and the idea to run a server proved to be expensive and prone to live with connection downtime on daily basis.

I started my first web site in mid 2008, and it was (and it is) about triatlhon , a sport that involves swimming, cycling and running. My first post (a test by the way) was done in mid-July 2008 and since then I ‘ve been making improvements, learning WordPress and expanding the installed sites when I got some customers. To sum up, has been three years and half from the starting point. Depending on the point of view, it may seem like a lot of time or very little, but if we speak about learning, I can assure you it is a very long time.

From the start I picked Site5 as hosting provider. You may think this is an ad (and maybe it is) but we’ll see that this provider has an important part on this story. I’ve been working with Site5 all this time and it was a rewarding experience. They have an excellent technical support and when there was a problem, they solved at once. The support is very good, prices are reasonable…yeah I’m happy with that, and that is hard to get. You see, I’m very critic with myself and if you are facing toward excellence, finding out a hosting provider who keeps its quality of service along the years it is very difficult to see.

Back to the story: while the number of sites were growing, I perceived the reality of being hacked as diffuse, distant and small,  nothing to worry about. Sometimes I think ignorance and lack of foresight can provide a sense of security.

I mean: a false sense of security.

What could be the odds that someone could hack a bunch of WordPress sites that were always up-to-date?

That kind of thoughts are not very forward-thinking.

And also the hackers are very clever…

Part I: Symptoms ignored because they were never well understood.

A month before what would be the main event, I received a call from a client telling that the activity of his site was unusually high. the client had a WordPress site with  Statpress Reloaded plugin installed so he could easily review the activity.

I checked the statistics, finding these numbers:

Inusual Activity | Actividad Inusual

Any blogger would be happy to know that your site has an increasing traffic, but if the site is a starting corporate profile, without updates, a dramatic increase of visitors is something suspicious. Also, a sudden change from 10-20 daily visitors  to  300-400 daily visitors in a few days is at least unusual.

The Statpress  plugin is nearly useless in this case. It will give you a clue only in the last 10 activities and in this case, all of them pointed to a the same page:  Camera just installed detects carjacking.  This was the only update in months and there was nothing in there. The real problem stayed  behind the curtains but I couldn’t realize it until much later. If we only get the last 10 pages accessed and we have at least 1000 pageviews, we’re missing the complete picture here.

Finally I concluded that there was some sort of script that recorded comments on that page, (there were hundreds of spam comments also), so I made sure that Akismet plugin was working, I added a captcha plugin to avoid such problems and decided to close the problem.

To be honest, I was far from over.

Part II: your account was suspended

Few days later Site5 detected a serious phishing problem in other site on my account. They sent me an alert by email three times. The problem was that every email alert were filtered as spam , and my account was deactivated 48 hours later without even know that!

This is the worst way to be aware about a problem.

 

Phishing en la cuenta (Datos enmascarados para respetar al remitente)
Phishing (data masked to respect the service)

 

So I had a weird traffic problem in one site and a phishing problem in other. Were they related? I didn’t make the connection at that moment. I contacted with Site5 and they reactivated my account. An account suspension means that every site in your account will be down. That was a serious impact.

And the phishing implication was disturbing. It meant that someone had found a way to upload files to my hosting. Somebody had privileges enough.

My account was compromised.

What I learned:

  • Check spam from time to time. The filters are not 100% accurate. Update the filters if some right email goes to spam.
  • Is good to have a tool to check logs. (More on this topic in future posts)
  • It is good also to have a record log. Even there was a way to activate a record log, by default the server recorded only the last 24 hours. After that I turned on a continuous recording mode.
  • Don’t overlook the problem. Sometimes the rabbit hole is more deeper that we think.

You can continue reading this story : Cleaning the house and Epílogue?

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

Posted in Uncategorized

Leave a Reply

«
»
Language
Twitter

Designed by wordpressready-v1.1.