Keyboard and Lock

Hacked

I was hacked on May 27th, 2015.

It started with one site. Seven sites on the server were hacked three days after that.

I discovered it by accident 33 days later.


Back in February I decided I should secure my WordPress sites. WordPress is frequently a target for hacking, and I was sure my sites were no different. So I installed Wordfence, a WordPress security plugin. Shortly after installing it, I started receiving alert emails saying “User locked out from signing in.” I wasn’t too concerned at first. These were automated login attempts. There was no shadowy figure that was trying to hack into my sites specifically. Plus I have long, random passwords by virtue of using LastPass. No one was going to brute-force my password.

But I started to tire of seeing Wordfence alerts every day. I decided to filter them out into their own tag in Gmail. That helped — the emails were no longer flooding into my inbox. But then I started to get an uneasy feeling: How was I going to know if Wordfence sent me an important notice?

Short answer? I wouldn’t. It would blend in with all of the other emails.

So I made some adjustments to cut down on the emails. I set Wordfence to block ips after 3 login failures (down from 20). I set the lockout period to 60 days (up from 5 minutes). And then I set it to immediately block any login attempts that weren’t for real accounts.

That slowed down the flood of emails. My changes were causing the bots to quickly lock out all their ip addresses.

I was still getting emails though. And so I figured, why don’t I just add a captcha to the login page?

So I did. I installed Captcha by BestWebSoft on May 29th.

Unfortunately it was too late; I’d already been hacked. One of my sites had user accounts for people other than myself, and one of those accounts was compromised on the 27th. Once they had access to the account they were able to compromise the entire site, and three days after that, all of the other sites on the server.

It wasn’t until I was migrating my sites to a different server over a month later that I noticed the problem. I was editing wp-config.php files to update database credentials and saw a strange bit of code at the top of each file. It looked something like this:

if(!isset($GLOBALS["x61156x75156x61"])) { $ua=strtolower($_SERVER["x48124x54120x5f125x53105x52137x41107x45116x54"]);

That was at the top of every PHP file on my server. The code is a little over 13,000 characters long. It’s all encrypted. It’s anyone’s guess what it’s doing. All I know is that it shouldn’t be there.

Now, I had Wordfence installed when this hack happened. And the scenario that I feared — that I was getting so many “User locked out” emails that I’d ignore real threats — is exactly what played out. Wordfence notified me that problems were found, and I ignored it.


Lessons learned:

  • Install a CAPTCHA on your login, registration, and reset password forms. This will stop brute-force attacks.
  • Install Wordfence. And if you’re getting too many alerts, find and fix the problem(s) so that you only get important emails.
  • Use strong passwords with a password manager like LastPass. You can at least prevent your own accounts from being compromised.

photo credit: Sind Ihre Daten sicher?


P.S. Right before I was planning to take the server offline I got a couple messages from DigitalOcean saying that my server had been reported for trying to do brute-force login attacks against WordPress installations all over the globe. So the servers that were attempting to brute-force my server? They were compromised exactly like my server. My server had been roped into a botnet. And, while it was presently being used to add other servers to the botnet, presumably it could be used for nearly any nefarious purpose.