On Sunday morning, I woke up, fed my daughter, and read the Los Angeles Times. There was a good article about Joss Whedon’s Serenity, which managed to shoot in Los Angeles at a reasonable budget, largely because of smart planning.
Yet another reason to admire Joss Whedon.
I headed out the office to blog about this very article. But when I clicked over to johnaugust.com, I was alarmed to see that instead of the familiar brad icon, I was instead greeted by a colored screen and the text, “BunnySlippers ownz u.“
I’d been hacked.
I’ve had my share of technological frustrations with the site over the years, with comment spam and servers going down. But this was different. This was the first time an individual had broken into the site and destroyed things. It was a defacement, like finding someone had spray-painted graffiti on your house.
But it was also more than that — this hacker had gotten into the system, and rooted around. For all I knew, he was still there, waiting for me to fix things just so he could mess them up again. How much had he really gotten to? Had he been able to trace back from the server to my home computer, my Amazon account, my PayPal?
I was pissed, but I was also unnerved.
Had it been my house, rather than my website, I would have called a locksmith to change the locks. The digital equivalent was changing the passwords, which I immediately did. I also shot off a support ticket to the web hosting company, asking if they could help me figure out what the fuck happened.
Then I started cleaning up.
I’m a big believer in the broken windows theory of policing, which stresses taking care of the small incidents of vandalism to forestall greater crime down the road. So the first thing I did was to replace the hacker’s splash screen with a simple “be back soon” page. (You can see it here.)
I then backed up my entire site, along with the database. From a quick look-through, it didn’t seem like any major damage had been done. I could have started the site up in a just a few minutes, but I was concerned that the same hacker could have brought the whole thing down again. I needed to know what he did.
I should explain now that the hacker’s name was not BunnySlippers. This is my Josh Friedman-esque pseudonym for him, because I don’t want to give him the ego gratification of this long article using his chosen handle.
BunnySlippers sounds lame, so I think it fits.
I googled “BunnySlippers” and found he was listed on Zone-H, a site that tracks defacements. It’s like a leader board for script kiddies. The ethics behind Zone-H are obviously questionable, but that’s not the issue here. What I quickly learned is that BunnySlippers had hit a lot of sites at exactly the same time as mine.
This was a huge relief. It meant that he wasn’t targeting my site out of some grudge or special interest. Rather, I just happened to have some vulnerability he was able to exploit. In all likelihood, he’d never even been to the site. He’d written a script that crawled around the internet, looking for a certain configuration to exploit.
But what was that vulnerability? I had a list of the other sites he’d hit, but they were all offline, like mine. But by using archive.org, I could pull up old versions of those sites. I quickly saw that most of them were using WordPress, the software that drives most of this site.
So I upgraded my WordPress installation to the most recent version. It was kind of painful. I’d held off doing it for a few months, because I knew it would break certain features, like comments and archives. (Although in fairness, the Archives were already pretty useless.)
In about an hour, I’d gotten the site working pretty well. There are still some significant things to fix, but it’s at least usable.
The question remains, will the site go down again? Maybe.
The truth is, I don’t think you can really stop someone who’s determined to hurt you. As I’ve learned from every horror movie, psychos are relentless. You shoot them, and they come right back — if not today, then in the unnecessary sequel. That’s part of the reason I’m not stomping my feet and cursing BunnySlipper’s name. Antagonizing him isn’t going to help.
With the help of my web hosting company, I’ve been able to learn a little bit more about my defacer, and how he did what he did.
Warning: From here, things get a little technical and jargon-laden. I’ll try to pretend I’m writing for CSI, where I immediately explain what the big words mean, even though the actual characters would never need to.
It turns out the weak spot was a file called “xmlrpc.php.” It’s a web service that helps move data, and is part of the standard WordPress installation. Its vulnerability had been documented, but I’d missed it. BunnySlippers had used it to overwrite the file “index.php,” the main file which generates all the pages on this site.
By tracing BunnySlipper’s IP address, we can see that he’s Brazilian. (Or at least, his computer is in Brazil.) Following other threads, I’ve found pages that suggest it’s not a single person, but a crew of three people. Hidden in a subdirectory of a German website, you can even see their logo.
Yes, logo. That’s where the graffiti analogy really comes back into play. This guy, or group of guys, isn’t trying to break into air traffic control, or steal money from a Swiss bank account. They don’t perceive themselves as malicious. It’s about getting the respect of others in their community, and recognition for their incredible computer skills.
But do they deserve it?
Using a known exploit to deface the start page of johnaugust.com isn’t such a feather in one’s cap. Other than wasting my Sunday afternoon, it didn’t really accomplish much. There was no political agenda, no artistic statement. It was just annoying.
It was graffiti. And now it’s gone.