{"id":483,"date":"2008-11-02T12:16:11","date_gmt":"2008-11-02T17:16:11","guid":{"rendered":"http:\/\/theholtsite.com\/blog\/2008\/11\/02\/heroic-hacker-defense\/"},"modified":"2008-11-02T12:16:11","modified_gmt":"2008-11-02T17:16:11","slug":"heroic-hacker-defense","status":"publish","type":"post","link":"https:\/\/theholtsite.com\/blog\/483\/","title":{"rendered":"Heroic Hacker Defense"},"content":{"rendered":"<p>Last night I got an email regarding the Freedom Farm website I created and host:<\/p>\n<p>&#8220;Hi Ben, I just tried looking at the FF website and I got a turkish anthem popping up. It was so strange. Is it my computer?&#8221;<\/p>\n<p>Hoping it was her computer but dreading the worst, I loaded the site.  Here&#8217;s what appeared:<\/p>\n<p><a href='http:\/\/theholtsite.com\/blog\/wp-content\/uploads\/2008\/11\/picture-1.jpg' title='picture-1.jpg'><img src='http:\/\/theholtsite.com\/blog\/wp-content\/uploads\/2008\/11\/picture-1.thumbnail.jpg' alt='picture-1.jpg' \/><\/a><\/p>\n<p>Woah.  Immediately I could see that I got hacked.  The perpetrator was a Turkish extremist group, and later down the page it said:<\/p>\n<p><a href='http:\/\/theholtsite.com\/blog\/wp-content\/uploads\/2008\/11\/picture-2.jpg' title='picture-2.jpg'><img src='http:\/\/theholtsite.com\/blog\/wp-content\/uploads\/2008\/11\/picture-2.thumbnail.jpg' alt='picture-2.jpg' \/><\/a><\/p>\n<p>Apparently our humble <a href=\"http:\/\/freedomfarmbolton.com\">Freedom Farm<\/a> site met their criteria for being &#8220;Anti-Turk, Anti-Islam, Satanist, and pornographic&#8221;.  Sweet.<\/p>\n<p>Well, I called the company I host with, and they were pretty unhelpful other than to tell me to check my permissions and that this kind of thing happens all the time with Joomla\/CMS setups.  So I was left to figure out exactly what the hackers had done and how to fix it.<\/p>\n<p>The first thing I did was to use a backup to see if any of the files in the site directory had been changed.  There are thousands of flies in this directory, so it took a while and I didn&#8217;t find anything.  Then I ssh&#8217;d into my account and used the &#8220;find&#8221; command to check modification times in the past two weeks for all files.  While doing this, I found a few thousand files in ANOTHER site&#8217;s directory that I hadn&#8217;t put there!  I was being hacked from two different people at the same time!<\/p>\n<p>After three hours of troubleshooting and testing, I found the following:<\/p>\n<p>1) The Turkish hackers had probably used a clever search query or other venerability in Joomla&#8217;s install to somehow gain access to the configuration part of the Freedom Farm site.  Then they changed the template file to their own code (<a href=\"http:\/\/theholtsite.com\/hackersource.txt\">source code here<\/a>).  That was it.  Nothing major really, and no permanent damage done.  I replaced the files from the backup and it was fixed.  It&#8217;s just a bit unnerving that someone can do this!<\/p>\n<p>2) Hacker #2 had used a flaw in my PHP code (an include statement) to upload thousands of files to my server.  I fixed this flaw and deleted the unwanted files.  Again, no major damage done and not that hard to fix.  I had run into this problem before but never knew the extent to which it could be exploited.  Hopefully, I have fixed it permanently.<\/p>\n<p>My hacker defense was actually sort of fun.  It gave me something to do (even though I was up until 3 AM) and really tested my own skills.  If this kind of thing happens again, I&#8217;ll be able to fix it much faster.<\/p>\n<p>I thumb my nose at you, Turkish hackers!  Pbbbbtttt!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last night I got an email regarding the Freedom Farm website I created and host: &#8220;Hi Ben, I just tried looking at the FF website and I got a turkish anthem popping up. It was so strange. Is it my computer?&#8221; Hoping it was her computer but dreading the worst, I loaded the site. Here&#8217;s [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-483","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/theholtsite.com\/blog\/wp-json\/wp\/v2\/posts\/483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/theholtsite.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/theholtsite.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/theholtsite.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/theholtsite.com\/blog\/wp-json\/wp\/v2\/comments?post=483"}],"version-history":[{"count":0,"href":"https:\/\/theholtsite.com\/blog\/wp-json\/wp\/v2\/posts\/483\/revisions"}],"wp:attachment":[{"href":"https:\/\/theholtsite.com\/blog\/wp-json\/wp\/v2\/media?parent=483"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/theholtsite.com\/blog\/wp-json\/wp\/v2\/categories?post=483"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/theholtsite.com\/blog\/wp-json\/wp\/v2\/tags?post=483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}