Hi there, I’m Chris and I was responsible for redesigning and developing the Jacobson site here, which is being operated currently by my father John. Anyway, there’s a bit of bad news and I wanted to make everyone aware that the site was hacked over the Thanksgiving weekend and many of you may have seen a “hacked by hackers” line of text on a blank homepage. There was also a brief period where a propaganda page for the Bengladeshi Cyber Army may have been displayed as well.
Before anyone freaks out, these events are actually more common than they appear. So the Jacobson site was not, to my knowledge, targeted for attack in any specific way. It’s a small memorial site, related to the military but not on any government or military operated servers or equipment. It’s privately operated on a private hosting company. This site is built on the WordPress platform, which is a free, open-source blogging and content management system for operating websites. WordPress is built to be solid and secure, but it’s ubiquity makes it a target, generally, for scripted attacks or breaches. What usually happens is a hacking unit will trawl for insecure or out of date installations, poorly made or outdated plugins, or poorly made template files that allow for PHP execution. This can sometimes happen on a single installation of WordPress that exists on a shared server in which many people operate their sites. So site A may be out of date and feature a bug that lets hackers breach the admin and then they are able to execute code more freely on the server, affecting everyone’s installations and then site B also gets hacked through no fault of the owner of that site. That’s kind of the nature of the most typical attacks as I understand them.
So, in the case of this site, I’m not exactly certain what went wrong. This site is on such a shared server but I don’t know of any breaches. There was a hacked admin user on this site but I don’t believe the existing admin user was coopted for that purpose. My personal user was deleted, so that may have been it. I can’t quite tell how this happened at this point. I have however taken the following steps to get the site back to normal:
- Removed the hacked user
- Reinstated my user with a new password
- Resetting Dad’s password as well
- Cleared the hacked code from the affected templates
- Deleted plugins that I think were installed by the attackers
- Reinstalled the current WordPress installation in case there was any modification to core files (does not appear to have happened)
- Imported missing pages from a backup taken on the 23rd (we back the site up weekly for just such events!)
That puts us back to about where we started. Our only casualty so far is that somehow image links have been corrupted, which is why you’re seeing all broken images across the site. I’m going to have to manually fix these at some point soon.
To mitigate future events I’m looking into ways to better harden the site and server. We had taken some precautions, kept the site up to date, kept a weekly backup, but these are now clearly insufficient by themselves. I’ll have another post when I’ve made more progress. Thanks everyone!
Update: I’ve made some modifications to some key files and restricted access to others. I’ve also added a few security related plugins. Hopefully this should help prevent future attacks. I’ll continue to improve the site as time permits. Thanks again!