Tuesday, April 27, 2010

Hacked!

Yesterday, the animal shelter called me. "Our website doesn't work."

Their website is hosted on my server, and I maintain it for them so I went to take a look. The first problem was easy to find: their domain name simply went to a GoDaddy.com landing page. "Looks like the domain name must have expired or something," I said. I'd seen it a dozen times before. "Just make sure the credit card didn't expire or something like that."

After fixing that, the shelter manager called me back. "It's pointing where it should, but they said it'd take a few minutes to update."

"Great," I said, but that reminded me that I had a second temporary link I could use to view the site if the domain name was down. Just for the heck of it, I checked out the site, and was greeted by flashing images and random text. Oh no! Their site has been hacked! Thousands upon thousands of mostly-empty folders with random names clogged their account. The shelter's own files and folders remained, except for the home page which had been replaced with the hacker's own page.

This was a kick in the pants. As security-conscious as I am, I had failed somewhere. Doing a little research, it wasn't hard to see where. When I set up their FTP account, I had chosen too easy of a password. It was a non-dictionary word that I had appended some numbers on to...but the non-dictonary word was their domain name and I hadn't stopped to think that a brute-force attack might toss that into the mix.

That wasn't the primary problem. Their unique password I could change, but I realized I had a bigger security hole. All the sites on my server that need to use the database use the same username/password to access it. If the hackers cared, they could glance at the database configuration file in the site that they hacked and get into the database, where they'd have access to every site's data. There wasn't anything particularly sensitive in there that wasn't encrypted, but still not a good thing.

The first thing I did was change the password on the account. The second thing was change the database password. The third thing was to give each site a unique password to the database with limited access. That way, if one site was hacked, it couldn't spread to other sites, and it would be easy to cut off that single access.

Fortunately, I keep good backups so it was easy enough to restore the hacked site. The hardest part was wading through the massive number of folders the hackers had created.

I wish I had fixed that particular security hole BEFORE something happened, but at least it's better now.

No comments: