So We Got Hacked

Was it Anonymous?  Probably not but...

Was it Anonymous? Probably not but...

We’re back! The site got hacked as part of a big Drupal vulnerability that took out many sites. In fact every single Drupal site I know of and work on has gotten hacked both personally and professionally. For the professional sites I cleaned the sites but for my personal sites I decided to take the unusual step of taking it down. Why? Because I never wanted to fix it again.

For the uninitiated MOST blogs or sites are running on Drupal or more likely Wordpress. There are many many other CMS’s (content management systems) but Wordpress is by far the dominant player. These applications act as a kind of publishing platform vastly easing the knowledge and experience necessary to create a compelling site. But due to their success and enormous attack surface they are a super low hanging fruit for attackers.

Why would someone want to attack my blog? In my case it was to send spam. For various reasons I have an AOL Feedback Loop setup on my main mail server. What this does is when an AOL user marks an email as spam that came out of my server, AOL forwards me a copy of the email. Imagine my surprise when a spam got marked for watches or something like that. Right away I knew I had something wrong. At this point the hope is that the attacker has access to create new files and folders on your server and execute some bad code but doesn’t completely own the server yet. This was the case for me. All of the drupal/php sites got renamed and a blank placeholder got installed until I could deal with it.

The way I chose to deal with it is to convert the site to Hugo. Hugo is a bit of a different approach to web serving (and actually a much older approach from a time when servers weren’t very powerful). You see whenever a request is made to a wordpress blog various database requests and code snippets are executed in order to pull together all the various bits and bobs necessary to make up a page on your site. Hugo instead pregenerates all content statically. Static pages versus dynamic are far less hackable… I dare not say impossible but 99.9999% more difficult. Instead an attacker will have to exploit a vulnerability in the web server platform itself and there aren’t very many of those these days.

More to come about the hows and whys of which CMS, blog publishing, cleaning a wordpress and drupal site as well as migrating from Drupal to Hugo. It’s not very travel related but I don’t do that much travelling anymore. What I do do is work from remote and that is something that is relevant to any and all Geeky Nomads.