Site search

Site menu:

Subscribe to RCG

Similar Posts

Recent Posts

10 Great Reasons NOT to use WordPress…

As many of you know, I’m normally a huge fan of using WordPress (in both the hosted and self-hosted formats), but tonight I’m not feeling so generous…

  1. WordPress blogs can be hacked! (If you came here yesterday, then you know what I mean!)
  2. It’s open-source with no one to call when your site goes down, especially not on a Sunday night of a three-day weekend.
  3. Even if you do find someone who could help, they will likely blame your problems on lax security (and they’re probably right)
  4. After hours of backing up, reinstalling, and general complaining, you may not know what security lapse you made (i.e. they could be back tomorrow!)
  5. Should your site ever get hacked, expect that it will occur while you’re on a two-day rafting trip on the beautiful Kern River!
  6. Moving photos and other files between servers and hard-drives (while trying to move fast and keep an organized filing structure) is a pain.
  7. Your site might turn out to spend a day displaying anti-Semitic remarks (OUCH!).
  8. Despite the “1-step” updates advertised by the WP crew, updating a WP blog is a pain and no fun, but obviously important, and will never be forgotten again!
  9. There are some groups you just don’t want to be associated with.
  10. BTW, if something looks fishy on the site, please let me know. I’ve deleted and reinstalled every file I could find and I’m sure I missed a few details! (The sidepanel on the wiki comes to mind, but I’ll have to wait until another day to fix that issue!)

Thanks to everyone who sent me a note alerting me to the hack! It’s awesome to find out just how many people are looking out for RCG! :)

Posted: September 4th, 2006 under General Real Estate.
Tags: , , ,

About the Author: Dustin Luther

As the founder of Seattle's Rain City Real Estate Guide, Dustin lives to talk, discuss and implement about social media strategy to drive business. In following his passion, he founded 4realz.net Marketing Consulting and regularly speaks about social media strategies to real estate audiences.

« Previous post Next post »

Comments

1. Comment from Jim Duncan
Time September 4, 2006 at 3:52 am

I’ve upgraded. Thanks for the reminder! :)

2. Comment from Garth
Time September 4, 2006 at 5:02 am

You might consider Joomla, http://www.joomla.org/ I use it on most of my sites. It’s secure, open source, has a very active community behind it and hasn’t had any major hacks against it (that I can remember ).

3. Comment from Greg Swann
Time September 4, 2006 at 5:41 am

I’d be interested to hear, perhaps by email, what got hit and how. Glad you were able to recover, in any case.

4. Comment from Jason Leister
Time September 4, 2006 at 6:06 am

Dustin,

Great recovery… That’ll teach you to go on vacation :)

Keep up the good work!

5. Comment from Robbie
Time September 4, 2006 at 7:31 am

I would recommend you read WordPress Security Tips and Pitfalls before you go on your next vacation. :)

Don’t feel too bad though, hacked servers happen to the best of us, and the only thing you can really do is learn how to prevent it in the future and how to quickly recover from them. Perhaps, we as RCG administrators and contributors, need to use stronger passwords for everything? I suspect that’s how the attacker got control of RCG was he exploited a weak password somewhere.

Although, this unfortunate episode reminded me I needed to add Michael Howard’s blog (Software Security Guy at Microsoft) to my RSS reader. I gotta stay current w/ whats hip & happening with the BlackHat crowd.

6. Pingback from A note from the Swan of Avon about Rain City Guide . . . | BloodhoundBlog | The weblog of BloodhoundRealty.com in Phoenix, Arizona
Time September 4, 2006 at 7:45 am

[...] The world has begun again… [...]

7. Comment from Josh
Time September 4, 2006 at 8:28 am

Welcome back. Sorry that you had to deal with those hackers.

I’d also like to know exactly what happened, in an effort to protect myself and others. Please feel free to email me or post it here! Thanks.

8. Comment from Dustin
Time September 4, 2006 at 9:02 am

All,

I’d love to tell you how they got in and exploited my site, but I simply don’t know. My guess is either
1) They found a weak password as Robbie suggest or
2) I mis-configured the permissions on my server.

I suspect the second issue because a number of WP plugins require that the web admin set folder settings so that the plugin can “write” to the server. I’ve tried to be as conservative as possible when changing these settings because I’ve always thought that it was a bad practice for me to allow my server to write over files when I’m not sure what is “safe” and what is “dumb”. Anyway, at this point, I’ve changed all the permissions so that the server cannot write (overwrite!) files, but that means that I don’t have easy plugins for things like backing up the database and updating the .htaccess file. Such is life until I start feeling adventurous again.

9. Comment from Greg Swann
Time September 4, 2006 at 9:22 am

From appearances (I didn’t test exhaustively), it seemed that everything at the root level for the domain had been erased and you (or they) had set the default 404 behavior to index.php. Is that correct?

10. Comment from Dustin
Time September 4, 2006 at 9:29 am

No, I don’t think they erased anything… My first step was to over-write the index.php file, but that did nothing. They were clearly messing with something on a deeper level and my guess goes back to the .htaccess file, which I think (but I really don’t know) would cause the behavior you described. I’ve noticed that the .htaccess file has a ton of power. And seeing as how this file allows the the server to write the “human readable URLs” on the fly, I’m pretty sure it could be configured to do the redirection that was going on. If anyone thinks I’m full of it and spreading bad information, please feel free to step in! :)

11. Comment from ARDELL
Time September 4, 2006 at 10:14 am

I changed my password, for what it’s worth. I suggest everyone do the same.

12. Comment from patrick
Time September 4, 2006 at 2:37 pm

How are you doing “..require that the web admin set folder settings so that the plugin can “write” to the server..” this? If you have chmoded to 777, then anything can be written there by anyone.

Did you search your server logs? Not just access_log, but error_log (these are for Apache), but your system’s kernel log (/var/log/messages), et al? These will provide clues as to what files were scanned and exploited.

13. Comment from Dustin
Time September 4, 2006 at 8:20 pm

Patrick,

I forgot what I ended up with, but I definitely didn’t have any 777s. I remember going through a few iterations to find the minimum that I had to leave open for individual files and still have the plugins work, so I did set things up so that the server could write stuff. Hence, my guess that someone figured out a way to use one of the programs I had installed to trick the server into writing the junk.

Based on the fact that almost no files were added/deleted to the server (that I can tell), it doesn’t look like the hacker got around to doing very much damage.

BTW, I tried looking through some access logs, but I didn’t find anything interesting there… (not that I know exactly what I should be looking for… :) )

14. Comment from Robbie
Time September 5, 2006 at 8:13 am

Wish I could be more helpful. On my planet, index.php is called default.aspx and .htaccess/chmod is replaced by cacls.exe and mad asp.net/ISAPI skills…

15. Comment from patrick
Time September 5, 2006 at 9:48 am

Dustin,

Check for wget in your logs, for starters. Or a lot of stuff that looks like %0A , etc. Also you might consider turning off allow_furl_open in your php.ini (allowing a url to be included/opened like a file).

16. Comment from Joel Burslem
Time September 5, 2006 at 8:32 pm

Glad to see you’re up and running again, guys.

This is a great lesson to anyone running WP - I’m going to have to go through all my permissions and double check them.

Write a comment