Mar 012012

In late February, someone attempted to deface the Port Townsend Sangha web site.  The attempt was only partly successful–the site lost its formatting but the hacker’s graphic message was not displayed.  Since the damage was relatively minor, I spent a day investigating exactly what changes they made and tried to determine how they gained access to the site.

The hacker had changed the user name and password of the default WordPress admin account.  With access to the administrator account, he replaced the contents of the CSS file of the child theme I had written with HTML.  The same HTML replaced the contents of a half dozen PHP files of the Twenty-Eleven theme. Finally, he changed the active theme from my child of Twenty-Ten to his hacked Twenty-Eleven theme.

By now, the hacker had spent 16 minutes on the site attempting to deface it.  And still the defacement wasn’t showing up.  So the hacker gave up, leaving the net result of his work a site that had lost its formatting but not displaying the defacement image and message he wanted.

I restored the corrupted files and the site was back to its usual appearance.  I found no other changes made by the hacker.  But in case I had missed something, I then restored the entire site from a backup.

The trail of changes suggests to me that the hacker was not especially knowledgeable about WordPress.  He apparently knew the basics–or had a script with instructions–and could deface many WordPress sites.  But he apparently was not familiar with some common plugins, one of which caused his defacement to fail.

Using Google, I researched the hacker and found his signature on the defacement of thirteen sites.  Looking for a common element, I was very surprised to find all sites were on the same server.  I suspect the hacker broke into one account on the server through a weak password or exploit in an old version of some component.  That’s easy enough to accomplish if WordPress sites are not updated to the latest version of every module (there is a constant stream of updates so keeping a site maintained is an ongoing task).  Or maybe he gained access to the underlying hosting account on some site.  Once he had control of one site, I suspect he found some weakness on the server that allowed him to find and change WordPress accounts on other sites.  With account name and password, he could then enter the WordPress administrator console on the other sites and easily deface them.

Two obvious questions are: Why was “my” web site attacked and why would someone do this?

The answers are, I believe, related.  I see this kind of defacement as “electronic graffiti.”  It just defaces a site, sends some message, and gives bragging rights to the hacker.  It seems similar to taggers writing graffiti on walls, railroad cars, etc.

I saw no commonality between the sites this hacker had defaced, except that they were on the same server.  I think the choice of sites was mostly random.  Perhaps the hackers keep score to see who can deface the most sites?

The motivation for this kind of defacement seems likely to be quite different than attacks on web sites to make political statements or to steal information (especially financial information).  If your site is a financial site, deals with credit cards or other identifying information, then the hackers are out to rob you.  They’re probably going to try to remain invisible, so you won’t know they are present.  If your site has political significance, then the attack may be political in nature.  But if your site is for a knitting club, or advertising for a small service store, you may just be the almost random victim of a graffiti attack.

In a later post, I’ll describe how I’ve changed all of my sites to prevent common attack vectors.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>