(Fr)Hacking Bastards


A few weeks ago, I started my working day to discover that two of my sites had been blacklisted by Google, and all of them were redirecting to some ’orrible malware site. Some charming person (it could be anyone from a spotty fifteen-year-old script-kiddy to a big organised operation in Eastern Europe or the Philippines) had seen fit to hack into my server in the US and insert malicious code into my html files.

Congratulations boys. The entire audience of some totally obscure, tiny fan sites could be yours!

Why bother? Yes, I must admit the thought went through my head a few times as I laboriously re-uploaded all the files in all my ten websites, changed all my passwords several times, and went through the painful process of uploading two installations of Bulletin Board software. As did a little imaginary bullet through the head of an imaginary hacker.

It’s incredible isn’t it? No matter how much effort you go into building a snowman, some twerp comes along and kicks it down.

Anyway, I missed a couple of files the first time around and had to go through the whole process again a few days ago, at which point my brain began to leak out my ears and the top of my head explode. Thankfully, my host in the States, Dreamhost, were helpful as always, and this time—fingers crossed—all the sneaky code snippets have been removed. Of course both times I had to go yet through another process to get Google to reassess the sites and take down their warning signs.

So, if I you host any websites, allow me to give you a bit of advice. Number one, use SFTP instead of FTP when uploading files to your server. The latter sends unencrypted code (with helpful pointers like ‘username’ and ‘password’ included) across the netwaves, and can be intercepted, as I so annoyingly found out. The former sends it encrypted. It should be as simple as selecting an option from a drop-down in your FTP client.

Number two, update all your software installations—WordPress, phpBB, whatever. Make sure you have the latest versions, which should have the best security. Get rid of outdated plugins and update the ones you do use.

Number three, change all your passwords and make them harder. Mine had got far too simple over the years, and I was repeating myself. You may have to use some kind of ‘one password’ solution, and you may never actually remember any of them again, but don’t use single, actual words, and throw in some numerals and possibly symbols.

While you’re doing all this, backup all your files so you have clean versions in case anything goes wrong. Hopefully, you will now avoid having to go through the tedious time-wasting rigmarole I’ve been subjected to.

Unbelievable isn’t it? Modern life is making code-monkeys of us all.

5 Comments (+add yours?)

  1. Arno A
    May 16, 2011 @ 08:56:41

    Bad news.

    But always no version 1.2 for Dungeonquest 🙂

  2. universalhead
    May 16, 2011 @ 09:32:23

    Trust me Arno, I’m not purposely and maliciously holding the file back from DungeonQuest fans for my own amusement – it was simply a typing error in the link that no one had told me about. Which is now fixed (don’t forget to refresh the page).

  3. Arno A
    May 17, 2011 @ 09:51:27

    Thank you. 🙂

  4. Minty
    Aug 08, 2011 @ 09:35:08

    Hey Pete,

    What FTP app are you using?

    I got caught by not knowing that Filezilla (fantastic app) stores its passwords in an text file that is unprotected in any way (major security flaw). The Filezilla author believes it’s the responsibility of the OS to provide file encryption or security, and has no plans to make any changes. I guess that’s one attitude, but I never imagined that someone would make an app that stores something as critical as ftp passwords have those so exposed.

    Evidently this is also true of CuteFTP and Dreamweaver and many other apps with an FTP component, and many trojans try to harvest those passwords to then infect sites.

    All in all, it sucks.

  5. universalhead
    Aug 08, 2011 @ 09:38:38

    Hey Minty! I’m using Interarchy, but I’ve since discovered I should change all my connections to SFTP, not FTP. Gotta be a bloody tech expert these days …