hack, slash
Saturday, 31 March 2012 11:00 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
freckles_and_doubtThere's this unruly bugger somewhere in Russia or the Ukraine or whatever who routinely hacks my website, specifically the one in my actual name where I keep my teaching pages - it's a WordPress site, which is apparently tantamount to sticking a huge banner reading "HACKERS WELCOME!" over its front page. Since one of the things I teach is a section on vampires and the internet in a History of Eroticism course, it's clearly being targeted by a sort of "hur hur hur" juvenile whose so-called "thought processes" are rendered even less functional than usual by the mere mention of the word "sex". He (and I say advisedly, it feels very maladjusted-juvenile-male to me) habitually overwrites the index.php, to replace every page in the site with a GeoCities-style black page featuring some scantily clad female, often of the vampiric persuasion, in a vacuously available pose, while scrolling inscriptions in various languages crow pointlessly about his own cleverness in hacking me. It's the virtual and textual equivalent of some awkwardly skinny and acne-ridden dude in a too-tight speedo flexing his nonexistent muscles in the vain and delusional belief that it renders him the cynosure of feminine admiration. Sad, really. And bloody annoying, because it's my professional page in my own identity, and doesn't really create a very good impression if a colleague looks me up, which they actually may do given that I have three conference papers accepted for this year.
Stv used to exterminate these little cockroaches for me, but I've just moved my sites out of his hosting ambit, which means I can no longer meep at him about it, but conversely in the last few days have become involuntarily far more proficient with basic WordPress functions. I am now perfectly capable of rewriting the index.php when necessary, it's very simple, and caused me a certain amount of vindictive satisfaction to reverse things in moments when the bastard hacked me for the inaugural time on the new servers yesterday. It won't, of course, sort out any nasty backdoors or other bits of code the Juvenile Hacktwit has left lying around on the site, so a large chunk of this weekend is going to be spent working painstakingly through various sites which detail how to protect oneself from this sort of attack, and fiddling accordingly while desperately hoping I don't break anything.
It occurs to me, however, that the high concentration of computer proficiency among the witterers may be useful in providing an answer which I couldn't actually find on Teh Internets. The stat counter thingy on my site identifies robots.txt as one of the most frequently-hit resources, which is interesting as diligent search suggests that, unless it's tucked away somewhere really counter-intuitive, I don't have a robots.txt file on the site. (Which is apparently quite fine, since malign bots ignore it and hackers use it as a pointer to the stuff you don't want them to see which they therefore really want to see, so it all seems a bit pointless). The statcounter insists that the hits are all real people rather than bots. My question is, what are these people looking for? Are they simply checking for the aforementioned "private" bits of the site, or is there some other nefarious purpose? Enquiring minds want to know.
Stv used to exterminate these little cockroaches for me, but I've just moved my sites out of his hosting ambit, which means I can no longer meep at him about it, but conversely in the last few days have become involuntarily far more proficient with basic WordPress functions. I am now perfectly capable of rewriting the index.php when necessary, it's very simple, and caused me a certain amount of vindictive satisfaction to reverse things in moments when the bastard hacked me for the inaugural time on the new servers yesterday. It won't, of course, sort out any nasty backdoors or other bits of code the Juvenile Hacktwit has left lying around on the site, so a large chunk of this weekend is going to be spent working painstakingly through various sites which detail how to protect oneself from this sort of attack, and fiddling accordingly while desperately hoping I don't break anything.
It occurs to me, however, that the high concentration of computer proficiency among the witterers may be useful in providing an answer which I couldn't actually find on Teh Internets. The stat counter thingy on my site identifies robots.txt as one of the most frequently-hit resources, which is interesting as diligent search suggests that, unless it's tucked away somewhere really counter-intuitive, I don't have a robots.txt file on the site. (Which is apparently quite fine, since malign bots ignore it and hackers use it as a pointer to the stuff you don't want them to see which they therefore really want to see, so it all seems a bit pointless). The statcounter insists that the hits are all real people rather than bots. My question is, what are these people looking for? Are they simply checking for the aforementioned "private" bits of the site, or is there some other nefarious purpose? Enquiring minds want to know.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: Saturday, 31 March 2012 10:10 am (UTC)no subject
Date: Saturday, 31 March 2012 10:21 am (UTC)no subject
Date: Saturday, 31 March 2012 02:31 pm (UTC)it sounds like you have a good ISP, you could mention the problem to their friendly geeks, they may be able to help, for example blocking the attackers ip address at the firewalls.
no subject
Date: Saturday, 31 March 2012 02:38 pm (UTC)no subject
Date: Saturday, 31 March 2012 11:48 pm (UTC)You weren't expecting readers from the Ukraine anyway, were you?
no subject
Date: Saturday, 31 March 2012 11:43 pm (UTC)It shouldn't be tucked away anywhere, it should be at the root of the site. That's where it lives, if present. It isn't a way to hack a site in itself, it's just a text file.
Possibly the hits that you see are googlebots requesting robots.txt and finding nothing. The last internet-facing site that I worked on, I noticed these requests quite soon. So I made a simple robots.txt. But then I had the luxury of erecting "keep out" sign that didn't list any particular routes, just disallowed everything. You *probably* don't want that if it's how people find you. You could put down a simple one that allows everything to be indexed.
I'm not convinced that it gives much away in terms of things to look for - the fact that you're running wordpress gives much more away IMHO. It may be a red herring.
no subject
Date: Sunday, 1 April 2012 07:29 am (UTC)One of the things my nice new Bulletproof plugin does is to strip all the automated WordPress indicators, especially version number, which will hopefully put something of a spoke in at least the automated versions of the hacker wheel. (New theory: hackers are like hamsters. Discuss.)
no subject
Date: Sunday, 1 April 2012 03:36 pm (UTC)People who deface websites are mostly like opportunistic vermin - a particular way of hacking sites is used most not because it's cleverest, but because it's most widely available. Automated and well-known hacks are most widespread.
Suggestion
Date: Sunday, 1 April 2012 09:18 am (UTC)It might be a good idea to start a bit fresh, rather than trying to find files that aren't legit.
Make a backup using the BackupBuddy plugin.
Review WP user accounts (you might need to look at the db directly, using phpmyadmin in your cPanel), and delete any dodgy ones.
Delete all files in your public_html folder (aka web root) except the wp-config.php file and the wp-content folder and.
Upload a fresh copy of WordPress, delete wp-config-sample.php.
Upload fresh copies of the contents of the Themes and Plugins folders, overwriting any stuff that exists on the server.
And stuff.
Re: Suggestion
Date: Sunday, 1 April 2012 08:03 pm (UTC)In theory there should be 2 accounts - the one that you use every day, and an admin account. The admin account usually has a fixed name (e.g. "admin") but you can change that.