In the very earliest days of the Internet I made a conscious decision to live at least part of my online life like an "ordinary" person, that is, someone who is not well-versed in the risks of being online or the strategies for mitigating those risks. And sure enough, living like that can lead to problems.
You don't need to attend a cybercrime conference in Argentina to know that there are a lot of bad guys out there, armed with an extensive array of easy-to-use attack tools with which to perpetrate whatever online mayhem makes them the most money. But I did attend such a conference, a very fine conference put on last week by the APWG (Anti-Phishing Working Group) and sponsored, I am proud to say, by my current employer, ESET (the Latin American office of ESET, but ESET all the some).
One of the many valuable things I learned at the conference (full title: Computer eCrime operations Summit VII) was that my own impression of a rising tide of nastiness preying on Linux webservers was in line with the data that is being collected by groups like APWG. Indeed, from my hotel room in Argentina I published a timely blog post by my Canadian colleague, Pierre-Marc Bureau, on new Apache backdoor malware (the image of a back door at the top of the post was actually taken from a photo I snapped from the window in my hotel room).
From malware like that, to the mass compromise of webservers that is behind the ongoing Brobot attacks on American banks, the focus of malicious attention on Linux boxes, many of them running WordPress, many of them rented from hosting providers, is now clear. In fact, reporting of the latest APWG survey, released at the CeCOS event, leads with this finding:
A new phishing survey by the Anti-Phishing Working Group (APWG) reveals that phishers are breaking into hosting providers with unprecedented success, using these facilities to launch mass phishing attacks.
Now, as for this blog right here, it does not get a lot of traffic. Let's face it, I don't keep the content very fresh. But that didn't stop some criminal scumbag somewhere from breaking into the computer that serves up this content. No files were erased and no personal data was stolen (because there is no private data on that box). But a collection of malicious .php scripts were installed in the directory of an unused WordPress theme on an even more neglected domain. These scripts enabled the criminal hacker who put them there to use the box to launch DDoS attacks on other systems.
Ironically, up to that point the attack was not noticed by the system administrator (me) nor the hosting provider who owns the server and rents it to me. But when the DDoS capability was activated, the hosting provided was alerted, possibly by the victim of the DDoS attack, and I was informed that the server had been taken offline. That's where the fun--no sorry, the opposite of fun--began for me, but I will write that up another time. For now, here are some lessons learned:
- If you have a rented webserver somewhere--like a virtual private server, hosting slice, or web hosting account--that you have not touched or upgraded in a while, you might want check on it now.
- If you are a hosting provider, ask yourself if you could be doing more to help your customers avoid getting hacked like this. I know my provider could have done a lost more than they did.
- Do you know the current backup status of your rented webserver? Are daily backups being made? Do they include the entire servers? Does that mean the databases powering your WordPress blog[s] are backed up?
- If you use WordPress on your own/rented server, have you set the WordPress Database Backup plugin to email a database bakcup to you on a regular basis? (This saved my bacon when my machine had to be wiped out to remove malware and any potential backdoors.)
- Avoid storing any personal information--such as customer data--on your rented server. More than 45 states now have data breach notification laws which might apply to you if your server is hacked and it did have confidential personal data on it.
Speaking of private data and privacy, I have just revived my "Privacy Think" blog, partly to coincide with Privacy Awareness Week. In my latest post I highlighted the availability of my privacy book, the first few chapters of which are still a decent primer on privacy for business, despite being about ten years old (and are still free to download).