South Park Self

hack, slash

There's this unruly bugger somewhere in Russia or the Ukraine or whatever who routinely hacks my website, specifically the one in my actual name where I keep my teaching pages - it's a WordPress site, which is apparently tantamount to sticking a huge banner reading "HACKERS WELCOME!" over its front page. Since one of the things I teach is a section on vampires and the internet in a History of Eroticism course, it's clearly being targeted by a sort of "hur hur hur" juvenile whose so-called "thought processes" are rendered even less functional than usual by the mere mention of the word "sex". He (and I say advisedly, it feels very maladjusted-juvenile-male to me) habitually overwrites the index.php, to replace every page in the site with a GeoCities-style black page featuring some scantily clad female, often of the vampiric persuasion, in a vacuously available pose, while scrolling inscriptions in various languages crow pointlessly about his own cleverness in hacking me. It's the virtual and textual equivalent of some awkwardly skinny and acne-ridden dude in a too-tight speedo flexing his nonexistent muscles in the vain and delusional belief that it renders him the cynosure of feminine admiration. Sad, really. And bloody annoying, because it's my professional page in my own identity, and doesn't really create a very good impression if a colleague looks me up, which they actually may do given that I have three conference papers accepted for this year.

Stv used to exterminate these little cockroaches for me, but I've just moved my sites out of his hosting ambit, which means I can no longer meep at him about it, but conversely in the last few days have become involuntarily far more proficient with basic WordPress functions. I am now perfectly capable of rewriting the index.php when necessary, it's very simple, and caused me a certain amount of vindictive satisfaction to reverse things in moments when the bastard hacked me for the inaugural time on the new servers yesterday. It won't, of course, sort out any nasty backdoors or other bits of code the Juvenile Hacktwit has left lying around on the site, so a large chunk of this weekend is going to be spent working painstakingly through various sites which detail how to protect oneself from this sort of attack, and fiddling accordingly while desperately hoping I don't break anything.

It occurs to me, however, that the high concentration of computer proficiency among the witterers may be useful in providing an answer which I couldn't actually find on Teh Internets. The stat counter thingy on my site identifies robots.txt as one of the most frequently-hit resources, which is interesting as diligent search suggests that, unless it's tucked away somewhere really counter-intuitive, I don't have a robots.txt file on the site. (Which is apparently quite fine, since malign bots ignore it and hackers use it as a pointer to the stuff you don't want them to see which they therefore really want to see, so it all seems a bit pointless). The statcounter insists that the hits are all real people rather than bots. My question is, what are these people looking for? Are they simply checking for the aforementioned "private" bits of the site, or is there some other nefarious purpose? Enquiring minds want to know.
  • Current Mood: annoyed annoyed, determined
  • Current Music: Magnetic Fields
  • 10 comments
Sadly Wordpress has been having a lot of security problems lately, see http://www.theregister.co.uk/2011/11/02/wordpress_mass_compromise/ You may want to consider moving your site to somewhere supported by the campus IT elves...
I have it on Imaginet, who have a bunch of really very lovely and efficient geeks on their staff, so I suppose I could always turn it over to them. But I'm quite enjoying digging into the bones of the process and self-educating. If the hacking persists and I can't block it, I will certainly enlist Professional Help. The campus options for hosting are a bit annoying and limited to use, I hate their CMS, which is why I don't really want to go there.
I'm all in favour of the joy of DIY sysadmin skills :)

it sounds like you have a good ISP, you could mention the problem to their friendly geeks, they may be able to help, for example blocking the attackers ip address at the firewalls.
That's definitely a thought. What I've done in the meantime is to find a 5-star-rated WordPress plugin called Bulletproof Security which automates, as far as I can work out, most of the suggestions made by various websites for hacker-proofing your blog. We'll see how that goes. It was certainly much easier to install it and click all the little buttons than to dig around adding lines of code to imperfectly-apprehended PHP files by manual means :>. I do like the internet. People share. Free plug-in writers are the exact and balancing opposite to hackers.
I've heard of entire counties being blocked from some sites due to frequent pestering. The user's IP address can change, but that part stays the same.

You weren't expecting readers from the Ukraine anyway, were you?
robots.txt is usually a very simple text file, which lists the parts that search engines shouldn't go into. Google et al *should* honour it, mostly because it lists routes that would waste both parties time and effort (e.g. the site's internal search results pages and "I don't have a page for that" pages. Lack of this could at one stage cause the googlebot to get lost in an endless Borgain library of generated pages).

It shouldn't be tucked away anywhere, it should be at the root of the site. That's where it lives, if present. It isn't a way to hack a site in itself, it's just a text file.

Possibly the hits that you see are googlebots requesting robots.txt and finding nothing. The last internet-facing site that I worked on, I noticed these requests quite soon. So I made a simple robots.txt. But then I had the luxury of erecting "keep out" sign that didn't list any particular routes, just disallowed everything. You *probably* don't want that if it's how people find you. You could put down a simple one that allows everything to be indexed.

I'm not convinced that it gives much away in terms of things to look for - the fact that you're running wordpress gives much more away IMHO. It may be a red herring.


Edited at 2012-03-31 11:46 pm (UTC)
This is very reassuring, thank you! - that's pretty much what I'd worked out about robots.txt, but I never quite trust my own reading in this sort of thing, being as my technical knowledge is somewhat sketchy. Pls to gloss for me: "root" of the site in this instance, does it mean the main directory in which all the html is stored (i.e. alongside the index page), or does it mean one of the higher level directories named like a series of grunts (bin, dev, conf, usr, etc)? Bit of a moot point, I can't find it anywhere anyway, but once again, enquiring minds etc.

One of the things my nice new Bulletproof plugin does is to strip all the automated WordPress indicators, especially version number, which will hopefully put something of a spoke in at least the automated versions of the hacker wheel. (New theory: hackers are like hamsters. Discuss.)
I meant the web root - the "the main directory in which all the html is stored" and served as http://somesite.com/ , not the subfolders like http://somesite.com/grunt/

People who deface websites are mostly like opportunistic vermin - a particular way of hacking sites is used most not because it's cleverest, but because it's most widely available. Automated and well-known hacks are most widespread.
Suggestion
(Anonymous)
You (or your Imaginary Friends) should be able to check the logs to see where said hacker got in: Raw Access Logs in cPanel.

It might be a good idea to start a bit fresh, rather than trying to find files that aren't legit.

Make a backup using the BackupBuddy plugin.
Review WP user accounts (you might need to look at the db directly, using phpmyadmin in your cPanel), and delete any dodgy ones.
Delete all files in your public_html folder (aka web root) except the wp-config.php file and the wp-content folder and.
Upload a fresh copy of WordPress, delete wp-config-sample.php.
Upload fresh copies of the contents of the Themes and Plugins folders, overwriting any stuff that exists on the server.

And stuff.
Re: Suggestion
> Review WP user accounts

In theory there should be 2 accounts - the one that you use every day, and an admin account. The admin account usually has a fixed name (e.g. "admin") but you can change that.
  • 10 comments