Some weird things happening in these parts. I was frustrated with the way things were going with this site. I wrote a frustrated post, redirected it, and then deleted it. I haven’t had much sleep in the last two days. This episode—in a strange way—reminded me of Steve Gibson’s account of DOS back in 2001. In my case, here’s what happened.

I assume that my ftp password was either cracked or stolen. How can it be stolen? Well, I am partly to blame for the mess. I used one password for all: my ftp login and my database login. And you know what? The database password is in plain text in the config file in any of your content management systems! It doesn’t take much to figure out what to do next, if you’re an evil person.

Note to self: Always use incredibly long and crazy passwords that make the crackers drop trying. They don’t like it when you’re wasting their time and imagine your smile to the effect of “come’on assholes waste your time trying on my domain, while I go have a pizza.”

Once in, there were some dubious folders with files replicating some bank’s sign-in page (in all graphical glory including logos and stuff) created with the intention of phishing. Scripts planted with the intention of spamming. Thanks to some good souls and some security folks who informed me that my site was sending out phishing attacks! Phishing attacks! OMFG! This is not happening!

My site—as in the victim’s machine in Steve’s story—became a zombie for sending out malicious content. Some BOFH—I don’t know how he (I assume it’s a he, and I’m not too sure if it was one person either)—got hold of my ftp password and parked long named files. It happened around March 4. And I, like an idiot, have really not bothered to look at my stats or raw logs ever since the time. The folder had a php mailer script that was sending supposedly obfuscated email (any idiot would reverse it to determine that it was my site from which the phishing email originated; all at my expense of course!).

You could say that my site was acting like a zombie to perform blackhat tasks in the background. It has been over three weeks since this was going on and all the while, I was blogging! I guess it must have been cracked during my updates to 2.0.1 when I was uploading files in active state. My bad. I should remind myself never to do that again just to hurry up the process.

I noticed one more thing that evaded suspicion. All folders created for malicious intent were under the existing ones that were created by me for serving the original contents—like pictures, files—on this site. So, naturally, I wasn’t actively monitoring contents of these static folders per se. That changes now.

At the moment, it looks like it’s over and I’ll be running down my intestine with frequent spot checks, log checks and stat checks.

A morsel of advice: Hijacking sites is easy, carrying out suspicious activities right under your nose is easy too, if you’re a casual user. A word of caution to all bloggers with domain and a host. Watch your backs and your folders. Most of all, choose the right host who can alert you, even if you relax.

Now for the climax, do you want to know who cracked my site? Here are a couple of IPs (I have a 30MB dump that gives me a fairly accurate picture, so, there’s no mistaking this one). I believe someone at these IP addresses accessed my site and planted stuff:

58.65.208.76
58.65.208.85

And guess what? They originate from an ISP in Pakistan. Oh the irony.

security

Related posts

Following list is auto-generated, based on this post's context as possibly related. You may, however, occasionally find some in this list unrelated, but nevertheless, we sincerely hope that you'll enjoy them too.

• On oil price speculation
• Change of habit
• Outlook help
• Missed the trip to Pangkor
• Worm strikes down Windows 2000 systems
• “Where are the local mirrors?”
• Going after email backup
• Knoppix Hacks
• Weekend in Malacca
• To hell and back