Check Please!
Crime scene

On Being Hax0red - Rebuilding After A Hacker Attack

WEBSITE | JUL. 24, 2006

I love email from my friends - jokes, comments, suggestions, viral video. Hell, I'll even re-read the crap falsely attributed to George Carlin that limps in every six months or so.

What I don't want to read is, "Dude, you appear to have been hacked."

A quick URL over to www.lowlights-now.com confirmed this news; my PHP-Nuke 7.5 had been mildly butchered, with a nice redirect to some "Yo, HaxOred" graphic prepared by some 16-year old Uzbek who could have spent his time more profitably masturbating or pirating DVDs of Adam Sandler films.

I mean, really - who am I? Some silly satire site a world away that never done no harm. And was, in fact, entirely unsecured by tech standards. Take on a Yahoo, an eBay, the DoD; show you've got some grapes. Attacking me is just a step above kicking the family cat. Sure, it's "there" - but you don't have to do it.

Take on a Yahoo, an eBay, the DoD; show you've got some grapes. Attacking me is just a step above kicking the family cat.

For those authors and authorettes who use PHP-Nuke as a CMS (content management system), evidently there is something called a "SQL injection hack." This is what took me down. Since CMS content is held, until needed/wanted/desired, in a database; the viewing of your page o' yuks requires a server-side database query and on-the-fly page construction by the web browser.

If a surfer asks the wrong question, or tries to access the wrong page or directory of your site, they get the famous "404 Error" page (which you've probably modified into some snarky customized missive).

BUT, if a "clever" 16 year old from a second world country creates just the right nonsensical query of your database, that database of yours - while telling the intruder to "thoroughly go to hell" also adds "because you didn't use password x". Your software just gave up the goods.

From there the cyberdorks usually lock you out as Administrator, make themselves the God Administrator, and start dropping some poorly-spelled text and HTML redirects into your Story Content or Header and Footer pages. And then they move on to the next person, because - you know - you have to keep yourself busy until the pubes come in.

I tried upgrading my PHP-Nuke site to a more stable version once I regained access to the Admin panel of my site. But I really like to write comic material, not so much spending my life delving into PHP code. I thought I had the site clean as a whistle, but I did as good a job crashing that site as those Eastern Bloc code larvae did originally. Clean as Tommy Lee's whistle, maybe.

So - I made the ultimate sacrifice. No, I didn't give up satire (though my wife begged); I gave up PHP-Nuke. I moved the whole thing, every hand-crafted gag, slowly but surely to WordPress software - which is, to my way of thinking, easier to use. Easier to backup. Basically - easier.

LL-N is back, and I'm sure my 12-15 viewers each day are so damn thankful it is.

Don't let what happened to me happen to you. And I'm talking about being hacked, not about that misunderstanding on South San Padre Island during Spring Break.

If you're a code guy, secure your site. If you're not a code guy, back up your site a lot.

I know funny. And being hacked isn't funny.

What Happened to LL-N?

Analysis by Jeremiah Weisserhut

The 16 year-old Uzbek kid has no particular interest (or probably even knowledge) of the victim site. When a hole is discovered in something like PHP-Nuke or some other deployed system someone (with some bit of skill) will develop a "kit" for it to identify and exploit vulnerable systems automatically. In all likelihood the vandal was a "script kiddie" using one of these kits. The attacker didn't start out saying, "Hmm, let's see what is up with www.lowlights-now.com". Instead it would have been one of several sites found to be vulnerable to something or other in a relatively random sweep of thousands of sites.

The good news is that the attack was mere vandalism, and quickly noticed. It could have been much worse. Depending on how much access the attacker got, he could have used the victim site to host phishing pages, or warez, or child pornography, all in a location that the legitimate users and operators of the site wouldn't notice. Most illegal content hosted on the web is hosted on compromised sites, to make it harder for things to be traced to the bad guy. Even if your site is low profile and obscure, it will be scanned for vulnerabilities, perhaps dozens of times an hour.

SQL injections - the tool that broke Lowlights Now - are all the rage now, but just because PHP-Nuke is vulnerable today and WordPress has no (known) vulnerabilities today doesn't mean that the same will be true tomorrow. The key for any tool like this is to join the product mailing list, and to make sure you know both when security fixes are made available and how to get them (i.e., do you have to pay for them?) WordPress, the example chosen here, is distributed under the General Public License, so security updates should be freely available as they are developed; although with any system, whether commercial or not, there is always the possibility that people will stop maintaining it.

With things distributed under the GPL (or other Open Source licenses) in the very worst case it would be possible to hire someone to fix things.

The bottom line is:

  • Care about security even if you don't care what happens to your data.
  • Monitor announcements about the software systems that you use.
  • When choosing a system, consider how expensive/difficult it will be to get security fixes.