From Yume Miru Kusuri, illustrated by Kiyotaka Haimura

On April 27, H.C.Staff was hacked for the second time. Getting a hold of my FTP password, which I hadn’t changed in over a year, a malicious individual was able to attach scripts to the ends of my HTML files and WordPress templates, scripts which contained words not normally discussed outside of H-games. And folders containing HTML files with unmentionable names appeared in various web folders. Google got word of this and blacklisted my site, resulting in “This site may harm your computer” in Google, and “Reported attack site” in Firefox.

After changing my password, I was able to purge the web directory and database, and restore them both from backups. Then I submitted a request via Google Webmaster Tools to have my site removed from the blacklist. They confirmed the removal of the “badware”, and now Google and Firefox have stopped warning visitors.

Two posts were lost: the Tsumugi Love post, and the post about Magic the Gathering player Yuya Watanabe and his profession, light music (軽音楽, “keiongaku”, or “kei-on” for short.)

Hopefully the hacker doesn’t have the means to get my password again with a snap of the fingers. I tried to ask my webhost’s support about how a hacker could have gotten my password, but they weren’t of much help. The only information I got was from my CPanel web stats analyzer, and while there was information that pointed to the FTP use of the unauthorized party, there wasn’t any sign of SQL injection or other exploits. Of course, I may just be looking in the wrong places.

From now on I’ll back up more often and change my password more often, but I don’t know what else I can do.

6 Responses to “Uuuaaaaahhhhhh!”

  1. The most likely answer is that he guessed it. Most people are not very creative when it comes to creating passwords.

    I tend to create them by mashing two words together e.g. “hammer” and “carrot” yields “hamcarmerrot”. That’s pretty much impossible to guess.

    But things like the name of your pet, or your favorite music group, or your favorite basketball star, or your girlfriend’s name, or the words “sex” and “secret”; these things are not secure. Someone trying to attack a site like yours will have a bot which works through a list of a few hundred potential passwords which experience has shown are more common than they should be.

  2. Author says:

    Guessing and dictionary attacks is a possibility. Another possibility is snooping of FTP, which is easily done, but usually it’s associated with wireless. Although there were a few attacks on ISPs and installation of snoopers in routers, it’s not a common vector. It’s usually executed against high value targets by people with money, not against random websites.

    I usually create passowords by stringifying /dev/random. They are impossible to remember, so I store them in a securely managed encrypted file.

  3. ephemient says:

    I use the standalone version of apg (http://www.adel.nursat.kz/apg/) to generate passwords — there’s online password generators too, but I’m a bit paranoid.

    The Diceware method (http://world.std.com/~reinhold/diceware.html) is lower-tech, requires nothing but dice 🙂

    On my important stuff, I change passwords a few times per year. I then write it on a post-it, which I keep on my monitor until (a week or two later) I can use it easily.

    That helps to protect against brute-force (dictionary) attacks, and using secure FTP (if the host offers it?) helps to protect against MITM attacks, but… it’s hard to be 100% safe, or even 90%.

  4. Chika-Chin says:

    I really don’t understand why some people get a kick out of disrupting other people’s lives. I feel for you!

  5. Vatina says:

    I was wondering why I couldn’t access your site. Sorry to hear that, hope it won’t happen again :S

  6. Maestro says:

    If you’d like some help hardening your WordPress install against hacks feel free to contact me. I can also help you make sure the attacks haven’t left behind nasty surprises (they hide stuff in the database that allows them to regain control, stuff that will _not_ show up from the Dashboard, like hidden plugins and user accounts.) I’ve cleaned up enough hacked blogs that I believe I can do it in my sleep by now. o_O

    Also: unless your hosting company has told you that there were actual FTP logins they very well may not have gained access to your FTP login. There are complete packaged scripts that give you an entire shell environment that the attackers use. If they can exploit some flaw to get the script file uploaded, they have full control. The script itself allows them to download and upload files at will. Going by the time stamps I see on files of hacked blogs they download the entire site, then patch it with their hacks and upload the modified version. They don’t always attach malicious payloads, sometimes they just patch and bide their time, or perhaps use the modified files for launching DDoS attacks from the server your blog’s on.

    In any case, these types of attacks are far from uncommon. WordPress has a very large installed base now and hackers and script kiddies target it with a passion. I’ve seen some things that make me suspect there’s a few unpatched vulnerabilities in even the latest WP version, but I have no definitive proof of that. (And I don’t think the developers have discovered the problem(s) yet if they do exist. Eventually it’ll get found and made public and patched though.)

Leave a Reply