It’s likely that I’ll never really know how it happened exactly, but somehow every domain and subdomain on my server was compromised. Thank goodness that I’m nuts about backing everything up all the time, though it’s still a huge pain in the ass!

Somehow, a script made it onto my server that worked its way through every single file, looking for any named “index”, or containing that word as part of its name. Once located, it overwrote the content of the index file with a custom bit of HTML. A cute little message telling the world who hacked the website, complete with a URI for some forum site in Turkish. Beyond that, it embedded a couple of Trojans in a couple of files that were writable. That part is pretty embarrassing.

Unfortunately, the good people at IX Webhosting, the folks who house the server I rent, were not able to determine an exact origin. They did run a cleaning script, and it was able to pinpoint potentially troublesome files as well as identify folders that should have their permissions changed, but no smoking gun.

All client sites are back up and running, with no long-term effects that I can tell. All their customer information is luckily housed on another server in another building, in another state, and in some cases, in another country, so there has been no real security breach. Just a royal pain in the ass…not a whole lot more.

March break always brings out the script kiddies and their bullshit. I just wish I could understand exactly what it is they get out of this.

Digging Into WordPress

One Response

  1. Duane Neveu says:

    Here we go again!

    Somehow, that defacement script was able to run again on my server sometime earlier this morning.

    I’m just finishing changing all database and FTP passwords…again.

Leave a Reply