K9JY Hacked!


The K9JY site was hacked over the last couple of days and you should have seen some weird screen renderings of the site. All should now be good. At least I hope so.

I’m security-minded

I try and not go nuts on the security stuff, but ever since I started putting out the K9JY WriteLog User Site, people started putting me in their Outlook contacts and you know how that goes. The mail lists get hacked and sends out viruses and other assorted malware and then I get all the hacked e-mails filled with the viruses. So I’ve always been careful and, thankfully, have never had my computers hacked from any of that stuff.

And my passwords are relatively bulletproof. The classic strong password generated and installed.

But you can’t prevent everything

In the relatively newest version of the software I use on this site, there was an “XSS” vulnerability identified. On Monday night, I first saw the updated version of the software that fixed the vulnerability. Tuesday morning I was going to install it since installing software at 9 PM in the evening after enjoying wine and company is not exactly the smart approach to doing upgrades.

But, the time I tried on Tuesday morning, it was clear something was not working right — I couldn’t access the admin panel, I couldn’t get any of my posts listed, nor could I list my installed plug-ins. Like, hosed.

Plus, the site, to visitors, would load great. Or not. Or sometimes.

Looking at the server error messages, there were many. With some good help from my hosting company, we eliminated the possible server issues and concluded I’d been hacked. First time ever.

The K9JY Rule of Troubleshooting

That troubleshooting rule is simple: the first thing you fix will reveal the other two things that went wrong in the first place.

So it was here. I couldn’t do the automatic upgrade to the software because I couldn’t access the admin panel to do it. So I quickly learned how to manually get the software, download it, unzip it and then carefully follow the directions to do the upgrade.

Sounds easy and I’ve done this before with other software. But, when it is this site, you get a bit chilled when the first words in the instructions are “delete all XXX files except those you’ve modified.”

The instructions don’t tell you that when the software was originally installed, there were passwords to access the databases for the application. And the database names for the application. Fortunately, I knew that there was a file that had that information in it and downloaded it via FTP to a nice safe place. It was a big potential gotcha. Whew.

Then, I carefully deleted all of the files and kept all of the other non-related platform files, like the layout of the site (called a “theme”) and some plug-ins that make things show up right (like the listing of the most popular posts in the sidebar is done via a plug-in).

Finally, I uploaded the new upgrade, hit the upgrade executable and logged in.

The upgrade was a success. But the problem didn’t go away.

When I logged into the dashboard, I could see that I was on the new version of the software. But I still couldn’t do anything.

So then I re-installed my Theme. Nothing changed.

Then I went to the Plug-ins. I couldn’t see the entire list of installed plug-ins (I wanted to deactivate all of them to get to a vanilla installation), but I could individually click on the plug-in name and go to the settings page for it.

Finally, a plug-in that searches Flickr so I can insert cool pictures on the site (like the pics for Sunspot Saturday) said it needed authentication before it could work. And since I’ve had that plug-in authenticated for about 18-months, something was up. When I went to authenticate it to Flickr, my Flickr account opened and politely told me that something was trying to authenticate with it, but what it was sending to authenticate was crap.

I went and deleted the plugin that interfaced to Flickr and then…finally…all was well.

The admin pages loaded correctly and so did the site. After looking through everything and updating all my stuff in the Theme that was reinstalled, I declared victory.

Another day lost to software infrastructure problems, that thing that is supposed to make us more productive.

The lesson?

The software people are really good at quickly identifying security issues and putting out fixes. Rare that it happens now as the security sweep is part of the overall testing. But hackers love to hack. I just hope that my sites (all the rest were fine) don’t fall into the IP address range the hacker is attacking before installing the fix.

And, yes, I have several weeks of backups, so if push came to shove, I could get all of it back. But, that’s a pain in the rear as well. And takes time and resources to do. And to verify once the backup is done.

But, all is well. At least I learned how to manually upgrade the software and I added a few things to my upgrade checklist.

Now, to turn on the radio.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}