A friend’s website was hacked recently. It wasn’t a big deal for him, as it was a testing/playground site anyhow. The site was simply homepage defaced. The site was due to be drezzed and rebuilt anyhow.

I was concerned because it was a Joomla website. My sites at work are Joomla sites.

I tracked down how it was hacked for him. It took me an hour.

It was hacked out of Turkey – no legal recourse for him.

Basically, it turns out there was a bug in the password reset code that allowed them to reset the admin password.
http://www.compassdesigns.net/joomla-blog/Admin-Password-Reset-Vulnerability-in-Joomla-1.5.html — OHPSS!!!

It is interesting to note that they used google for finding websites with the vulnerability – their search was http://www.google.com/search?hl=tr&q=inurl:%22com_user%22+hello&start=40&sa=N

The steps that I took to figure this out. I had my friend dump the website and send it to me. The dump was the full filesystem for that website, a full MySQL dump of the database(s) for the site, and all the log files for that site. At this point he could start doing what he needed to do to rebuild the site.

When I got this zip file, I opened it and went to the logs. I just scrolled through the log to see if anything obvious stood out. Nothing at the initial glance.

Thinking it was a remote file include problem, I started looking for URLs that could have been included. This wasn’t it, but it did lead me to a spot where I recognized the name of a foreign file – an MP3 that the hackers uploaded.

I then grabbed their IP address and looked at the first instance where they interacted with the system. I found the google search and the click through to the password reset page.

At this point, I did a google search of my own and found the hack.

A note on their behavior during the attack:
They started at 7:37 am our time, and where done by 7:49.
They checked the site again at noon, and again at 10:15pm. I guess they wanted a good laugh at how long it took before the site got fixed.

The moral of this story is that if you use open source software, make sure you keep it updated. With the ability to google search for pages that are running a known piece of code, an aweful lot of websites can get hacked between the time a vulnerability is know until a fix is released and until you get that fix installed.

Last day at work

Today was my last at work today. I guess Friday the 13th is as good of a day as anything.

Two and a half years of doing the same website – well, over half a dozen of them. Of Having my website on the back of city buses. Of a 100,000 unique visits a month. Of really great people.

My friends from work had a going away party for me today. They pooled together and got me a really great going away present, but they couldn’t agree on what it was going to be, so I got a gift card for a lot of money! They ordered pizza from my favorite pizza shop.

Thank you everybody!

I just about left without getting my stuff off the walls.

I will miss everybody there at RAGFL! You all have my email address and this website! Keep in touch.

Interesting Bits

I have added a new feature to my website. It is the “Interesting Bits” section at the end of the narrow side column, below my Del.icio.us bookmarks. This is a running list of the last 10 blog posts that I have decided to share in Google Reader. This is going to be stuff that is interesting to me for whatever reason. Some of you have similar interests to me, and this is a way to share the articles I found interesting.

I am currently subscribed to 15 different blogs, and the posts listed would be the best out of all of them.