Site cleanup and recovery
As I’d twittered and posted on Facebook over the weekend, this blog (and a bunch of other sites that were on the same server account) had been hacked with some malicious server code that was redirecting referring links away to some sort of spam/malware sites.
Ah yes, the irony of a blog with “Hack” in the title itself getting hacked.
So I’ve been mostly offline, cleaning up the sites and infected files and locking down the server so that it (hopefully) won’t happen again. So far, so good.
Everything should be back online and working now, let me know if something isn’t, and we’ll resume our regular programming…
Do you know how they got in? Was it via some WordPress hole or something else? If you’d rather go offline with the conversation, email me :-).
I have a pretty good idea, which would actually make a pretty good blog post. I don’t believe it was a hole in WordPress—not the up-to-date versions anyway—instead I think it was other exploitable code on the shared server account my blogs were on. Once the account was compromised, then it was a matter of the script (or whatever) being able to modify “.php” files that had the “nobody” owner (Apache process) attached, or had permissions set too lenient.