What happened
On Sunday morning, I woke up, fed my daughter, and read the Los Angeles Times. There was a good article about Joss Whedon’s Serenity, which managed to shoot in Los Angeles at a reasonable budget, largely because of smart planning.
Yet another reason to admire Joss Whedon.
I headed out the office to blog about this very article. But when I clicked over to johnaugust.com, I was alarmed to see that instead of the familiar brad icon, I was instead greeted by a colored screen and the text, “BunnySlippers ownz u.“
I’d been hacked.
I’ve had my share of technological frustrations with the site over the years, with comment spam and servers going down. But this was different. This was the first time an individual had broken into the site and destroyed things. It was a defacement, like finding someone had spray-painted graffiti on your house.
But it was also more than that — this hacker had gotten into the system, and rooted around. For all I knew, he was still there, waiting for me to fix things just so he could mess them up again. How much had he really gotten to? Had he been able to trace back from the server to my home computer, my Amazon account, my PayPal?
I was pissed, but I was also unnerved.
Had it been my house, rather than my website, I would have called a locksmith to change the locks. The digital equivalent was changing the passwords, which I immediately did. I also shot off a support ticket to the web hosting company, asking if they could help me figure out what the fuck happened.
Then I started cleaning up.
I’m a big believer in the broken windows theory of policing, which stresses taking care of the small incidents of vandalism to forestall greater crime down the road. So the first thing I did was to replace the hacker’s splash screen with a simple “be back soon” page. (You can see it here.)
I then backed up my entire site, along with the database. From a quick look-through, it didn’t seem like any major damage had been done. I could have started the site up in a just a few minutes, but I was concerned that the same hacker could have brought the whole thing down again. I needed to know what he did.
I should explain now that the hacker’s name was not BunnySlippers. This is my Josh Friedman-esque pseudonym for him, because I don’t want to give him the ego gratification of this long article using his chosen handle.
BunnySlippers sounds lame, so I think it fits.
I googled “BunnySlippers” and found he was listed on Zone-H, a site that tracks defacements. It’s like a leader board for script kiddies. The ethics behind Zone-H are obviously questionable, but that’s not the issue here. What I quickly learned is that BunnySlippers had hit a lot of sites at exactly the same time as mine.
This was a huge relief. It meant that he wasn’t targeting my site out of some grudge or special interest. Rather, I just happened to have some vulnerability he was able to exploit. In all likelihood, he’d never even been to the site. He’d written a script that crawled around the internet, looking for a certain configuration to exploit.
But what was that vulnerability? I had a list of the other sites he’d hit, but they were all offline, like mine. But by using archive.org, I could pull up old versions of those sites. I quickly saw that most of them were using WordPress, the software that drives most of this site.
So I upgraded my WordPress installation to the most recent version. It was kind of painful. I’d held off doing it for a few months, because I knew it would break certain features, like comments and archives. (Although in fairness, the Archives were already pretty useless.)
In about an hour, I’d gotten the site working pretty well. There are still some significant things to fix, but it’s at least usable.
The question remains, will the site go down again? Maybe.
The truth is, I don’t think you can really stop someone who’s determined to hurt you. As I’ve learned from every horror movie, psychos are relentless. You shoot them, and they come right back — if not today, then in the unnecessary sequel. That’s part of the reason I’m not stomping my feet and cursing BunnySlipper’s name. Antagonizing him isn’t going to help.
With the help of my web hosting company, I’ve been able to learn a little bit more about my defacer, and how he did what he did.
Warning: From here, things get a little technical and jargon-laden. I’ll try to pretend I’m writing for CSI, where I immediately explain what the big words mean, even though the actual characters would never need to.
It turns out the weak spot was a file called “xmlrpc.php.” It’s a web service that helps move data, and is part of the standard WordPress installation. Its vulnerability had been documented, but I’d missed it. BunnySlippers had used it to overwrite the file “index.php,” the main file which generates all the pages on this site.
By tracing BunnySlipper’s IP address, we can see that he’s Brazilian. (Or at least, his computer is in Brazil.) Following other threads, I’ve found pages that suggest it’s not a single person, but a crew of three people. Hidden in a subdirectory of a German website, you can even see their logo.
Yes, logo. That’s where the graffiti analogy really comes back into play. This guy, or group of guys, isn’t trying to break into air traffic control, or steal money from a Swiss bank account. They don’t perceive themselves as malicious. It’s about getting the respect of others in their community, and recognition for their incredible computer skills.
But do they deserve it?
Using a known exploit to deface the start page of johnaugust.com isn’t such a feather in one’s cap. Other than wasting my Sunday afternoon, it didn’t really accomplish much. There was no political agenda, no artistic statement. It was just annoying.
It was graffiti. And now it’s gone.
Articles
October 10th, 2005 at 12:37 pm
He should be put in prison for that.
October 10th, 2005 at 12:41 pm
John you kick ass!
October 10th, 2005 at 12:49 pm
Steve, you kiss ass.
October 10th, 2005 at 12:56 pm
Your kung fu is strong -
John, I just (yesterday) switched my blog from one that wasn’t working too well to Word Press - can I understand, since I did this so very recently, that it will be less vulnerable than wordpress sites that were pre-updated?
Did that make sense?
October 10th, 2005 at 1:03 pm
Joshua –
I suspect you’ll be fine. Installing the most recent stable version is always the smart way to go. That way, if any problems do come up, there are a lot of smart people trying to fix the situation.
October 10th, 2005 at 1:35 pm
Let’s form up a posse and go git ‘em!
October 10th, 2005 at 1:53 pm
I’ve been holding back on upgrading to the most recent version too… mostly because it means reworking some of my customizations (I notice you found the comment spam prevention you were using now doesn’t work). Sigh. Now I know what I’ll be doing tonight…
October 10th, 2005 at 2:00 pm
Quick question: Even if done correctly, is it considered a cop out in screenwriting to add a slew of characters the story? Many of my favorite movies (Magnolia, Crash, etc) use many characters tied together at some point. But after analyzing a story I’m working on, I inadvertently decided to add characters because my main character didn’t seem strong enough. Would you say this is weak writing or a clever tool to strengthen the character & his scenarios.
And again, we’ll go ahead and assume “It’s done correctly.”
PS: I dig the red pattern. Beautiful.
October 10th, 2005 at 2:22 pm
A virtual BnE is creppy and even more creepy, some hackers get a kickback from internet security companies. We had a business site hacked and within a few hours had calls from 5 different telemarketrons offering us firewall software, etc. They tend to go for popular sites so it’s kind of a compliment when you get hacked. Sympathies.
October 10th, 2005 at 2:29 pm
That stinks. Glad more harm wasn’t done though. This probbaly won’t make you feel better about the hacking but it’s good for a chuckle:
I was crusing through the net Sunday and made a pit stop at your site. Saw the “be back soon” page which also said “We had visitors” So I think to myself, aw, that’s nice I bet they’re all cooing over the baby. Wonder who stopped by? Wonder why he put up that page telling us he had visitors. Must be important I guess.” And I was off to the next cyber adventure.
I had a vision of everyone drinking tea and playing with the baby. Not sure why, probably what my subconcious was wishing I was doing instead of jamming my head full of stuff. Anyway, a laugh at my expense.
October 10th, 2005 at 2:32 pm
What a nightmare! I’m on WordPress as well (I discovered them through your site), and have avoided upgrading because I’m only just now getting the code straightened out on my WP 1.5.1.2 site. Like Nicholas, I guess I’ll be working on the upgrade tonight as well.
By the way, it must be driving that hacker crazy to be called “BunnySlippers.” It’s difficult to be worried about some guy you picture sitting around in fluffy, pink bunny slippers. Love it.
October 10th, 2005 at 3:06 pm
That was a good article about Josh Whedon’s Serenity.
October 10th, 2005 at 3:37 pm
Our server got hit by the same guys. So lame… We upgraded to 1.5 though and all seems to be well.
October 10th, 2005 at 3:45 pm
That is very lame. Dumbasses. Maybe the MPAA could start going after these pirates of sorts…
October 10th, 2005 at 4:34 pm
You are, most definitely, a natural storyteller.
Great stuff.
October 10th, 2005 at 6:10 pm
Warren/Nicholas, you can just delete the xmlrpc.php file as a temporary workaround. I did that months ago and haven’t had any ill effect. If you follow John’s link to the “Simple Thoughts” blog that explains the vulnerability, you’ll find a patch that will make upgrading easier.
John, glad to see you back up and running and with a nice new background. I think you’ll be happy with your upgraded WordPress anti-spam measures, though I for one am going to miss the oxlips.
October 10th, 2005 at 10:31 pm
If you want to reimplement the oxlips (or something similar), you can use WP-Gateway (http://www.meyerweb.com/eric/tools/wordpress/wp-gatekeeper.html) I just implemented it on my site after having to moderate over 300 spam comments. If it’s not one thing, it’s another. I modified the included template (under the “Manage” tab) to spit out a bit of my favorite Coleridge poem, and then made the challenge questions word counts from the poem’s lines.
Call me lazy, but I’d rather let my readers count one or two words in order to comment than wade through several hundred automated spam comments.
October 11th, 2005 at 12:11 am
Hmmm, dare I bring up Movable Type at this point?
MT has a plugin called SpamLookup which has essentially blocked all comment spam. I have no captchas on my blog. No registration or email requirements. SpamLookup sort of works in the background, and whenever I do stop in to check its logs, it never registers a false positive (unless someone tries to make a legitimate comment with some of the specific words I’ve blacklisted). Quite happy with it.
Having said that, I’m awfully sorry you went through this, John. Bravo for getting back up so fast.
October 11th, 2005 at 1:00 am
I got hit on one of my sites while running one of the older 1.5 installs, so the moral is, pay attention when they launch a new version and if security is one of the enchancements mentioned, upgrade immediately.
As for comment spam, I use one of the comment preview plugins alongside WordPress’s default anti-spam options which seems to stop 99% of spam getting through and 0% making it past the moderation queue.
October 11th, 2005 at 8:30 am
Yeah, upgrading can be a pain sometimes. It’s just so easy to leave things as is ….
October 11th, 2005 at 11:08 am
As a blogger with weak HTML skills, this scares me. I recently took the plunge and signed on (for two years!) with a hosting company, intending to move the blog from TypePad in a new, WordPress incarnation. I do like the open source, and I’ve heard so many good things about WP.
Hearing of your nightmare, I don’t know anymore. Am I really up for that much under the hood work? Could I handle the situation with the kind of speed and aplomb that you did?
You’re really quite remarkable to do two things so well, you know. Most of us can’t manage that level of proficiency with one.
Oh, well. It’s back to the WP boards for me. And maybe I’ll just link to the TypePad blog for awhile.
October 11th, 2005 at 11:12 am
Ugh. See? No URL. I can’t even post a comment without screwing something up.
Sigh…
October 11th, 2005 at 12:48 pm
For those of you who like WordPress but aren’t quite ready to take the plunge and go for a version you look after yourself, there are a few other options. Blog Thing offers a free service which is powered by WordPress and the WordPress team are in beta testing of a hosted service over at WordPress.com.
October 11th, 2005 at 10:34 pm
John, I love your site, and I’m extremely grateful you’re sharing yourself with us all here. I especially like your “geek out” posts. I can’t say I understand everything, but one never learns by running away from the unknown, so I try. I understand why you’re pissed about being (what barely qualifies as “hacked, more like script kiddied), and I realize that nobody can stay 100% up to date with every security vulnerability out there. However, I must say I’m a little taken aback by the general reaction to the hack by pretty much everyone commenting. “String ‘em up by the balls!” “Sue ‘em!”, ad nauseum. You had the decency to acknowledge that this was a known exploit that you missed. And it really was hit with a very low level of sophistication. I’m always cheered by the fact that you lean toward the open source stuff. You might not have found out about the hacked vulnerability so fast if it weren’t for the rapid pace at which these things become known and are patched in the open source world. But really, one can’t leave one’s car windows open and the keys in the ignition without some joker jumping in for a joy ride (I know, weak analogy). I’m not saying anyone deserves to be hacked, but we all have the responsibility of keeping current and covering up holes that turn up now and then, even if it is a nuisance. I notice that Postnuke was warning users on August 16th, 2005 to remove the offending file from their installations, and WordPress was updated with a security fix and a temporary fix involving removal of xmlrpc.php on June 29th, 2005!!! And you say it took about an hour to upgrade and get the site working for the most part. One hour, a few months sooner could have saved you all this trouble. The Web is just an extension of the real world, with all the same losers and doofbag goatfucks out to mess things up for no particular reason than to feel important for five minutes. In fact, the anonymity of the Internet encourages these spineless pukebags to do things they wouldn’t imagine trying in real life if there was any danger of getting caught. Again John, I love your site; it gives me a lift every time, so thanks. I was just a little freaked out by the knee-jerk violent reaction of some of the posters.
October 12th, 2005 at 7:46 am
Visitors? I was thinking you had folks over to see the baby. Good work getting things back in order, John.
October 12th, 2005 at 10:30 pm
Sorry to hear about the hack who hacked you. Just wanted to say that I’ve been reading your blog for a bit now and I love it. It’s helped me through many a screenwriting questions at 3 am. Inspired me to start my own: http://sillypipedreams.blogspot.com
October 20th, 2005 at 1:45 pm
Great blog. I just wanted to let everybody know about a great new website for screenwriters. Often, I look to other scripts for formatting and other reasons. http://www.scriptbandit.com has over 500 scripts and lots of screenwriters resources. You can even send a text message and submit your own script!
October 28th, 2005 at 4:40 pm
That’s a damn shame, crackers are so pathetic.
Also a shame you didn’t get around to write a blog about Serenity, would have liked to read your opinion on it.