The heros of the story of my hacked website are the folks at JTPrattMedia. If hackers are the guys wearing black hats, these folks are wearing the white hats. John Pratt, the company’s principal, graciously agreed to answer some of my questions about hacking and hackers.
M — Please help me understand what happened to my website and why someone would want to hack my website. Who did it and what did they get out of it?
J — The thing to know is that there is almost never a “someone.” In your house, you would know if somebody was trying to break in. You probably have no idea that your website receives thousands of break attempts per day — 99.99% of which are completely automated. These are almost all automated bots and scripts trying to:
- Deface your website
- Inject spam into your website
- Break your website
- Infect computers
Read here: www.jtpratt.com/series/wordpress-security-guide
and this recent blog post: www.jtprattmedia.com/my-wordpress-website-is-still-getting-hacked
M — Is anyone keeping track of how many websites are hacked each year? Is there a place to report internet attacks?
J — No and no. There never would be. Every access attempt to a website is logged on every webserver. Most companies would never want this information public — therefore it would never be shared in such a way where stats could be collected. There is no place to report attacks, and prob never will be. Websites are hosted on different servers, different locations, with different companies — attackers use fake credentials and fake IP’s, and to make matters worse many are just “zombie” attacks (that you can’t track back to a real person).
Let me give you a scenario. We’ll say I live in Russia and a crime syndicate pays me a fee to write a bot that infects websites with poker and gambling related spam to get traffic to their illicit websites.
Let’s say I found a hole in WordPress version 3.3.0 (from a year ago) that allows you to upload a file into a website. I write a script that searches for websites using that version of WordPress and then uses that hole to break in and upload a file.
The file that gets uploaded is a PHP script, it looks for your theme files and injects spam in the footer. This is very common and pretty simple — but you would think you could trace the source of the break-in to a computer (and or person), right?.
No. Here’s a more complicated scenario at a much higher level. The crime syndicate hires an experienced genius level programmer to create some “malware” with a payload that is self-replicating. This is on the level of science fiction in a way when you think about it. This type of malware (the type they call rootkits and trojans) has the ability to infect a PC — send emails to an entire address book of friends, infect them, infect their friends, and their friends, and so on. Many of these mave mini mail servers and web servers built in — and they can serve the scripts to attack websites (like the previous example).
So at a base level let’s say a guy in Detroit named “Bob” has a laptop —and his teenage kids use it at night. They click an ad on a music download website and unwittingly get an malware infection that his virus scanner doesn’t detect. Bob’s entire email address book gets an email from him with a spam link — he figures his Facebook or Gmail account has been hacked, and changes his passwords.
While Bob’s laptop is used — when it’s connected to the web the trojan rootkit searches for websites using WordPress running version 3.3.0 so it can break in and upload the file that injects spam in the footer (from the first example).
The malware might run on Bob’s laptop as a “zombie” for years before it’s found and removed. People don’t even know their computers are breaking into other computers (day and night). There are hundreds of scenarios just like this.
M — This world map of Cybercrime at http://globalsecuritymap.com/ published by http://hostexploit.com, does that look pretty accurate to you?
J — I would say that looks completely accurate.
M — What were you doing before you began repairing hacked websites?
J — I have personally been building websites since 1995. JTPratt Media has been my full time WordPress company since 2009, and we do SEO and social media management in addition to WordPress development. We first began fixing websites with spam problems, and then fixing hacked websites as that problem became more mainstream a few years back. We don’t only fix hacked websites (now), but we do get those inquiries each and every week — in additional to regular WP development.
M — How did you get involved in repairing hacked websites?
J — WordPress started as a blogging tool and has grown exponentially each year since 2004. In the last 3 years (especially) it has officially moved from a “blogging tool” — to a tool to create and manage business websites. Because it’s mainstream (like Windows) it’s a target because of the base of sites it holds. It’s a common misconception that you shoudn’t use WordPress because it has security issues. With more than 50 million websites using it, and since it now runs almost 1/5 of the web — more than ANY other CMS system in the world — hackers target it more than any other. The websites broken into are in the thousands, as compared to millions of installations, and WP is very secure when maintained properly.
A few years back we wrote this WordPress security guide: www.jtpratt.com/series/wordpress-security-guide
We started to get new clients from that with broken hacked websites that needed to be fixed. Soon we had fixed quite a few — and found the process was usually the same to clean, secure, and harden them — and we still pretty much use that same process today.
M — Has hacking increased since you began repairing hacked websites?
J — It will never stop, and is definitely growing. However security is getting better, and now with Google notifying website owners of infections there are more stopgaps in place than ever before.
M — Has hacking become more sophisticated since you began repairing hacked websites?
J — Definitely. Especially since it’s automated, and once computers are infected with zombie “bots” that can search for and attack more websites — things that are self-replicating and go into the wild can live there for years, continuing to do damage.
M — Are some content management systems more vulnerable than others? Which ones? Why?
J — This used to be the case, but not much anymore as most of what’s out there is constantly developed by a team of coders and very mature.
M — Hacking, malware, badware, spam, bots… What’s the difference?
J — There are hundreds of explanations for these very similar things (most of which the ordinary person doesn’t want to know anything about).
M — Anything else you’d care to add?
J — The most important things for anyone to remember:
- Stay up to date (WordPress, and all plugins + theme)
- Have a regular offsite backup
- If you don’t know what to do, or how to do it — hire an expert. Otherwise your website could be lost.
Photocredit: Felt beige cowboy hat on a white background by Ealdgyth, September 14, 2007, aquired from Wikimedia Commons
Posted by Morgan