Hacked Plus Free Fiction News
For those of you showing up for Free Fiction Monday, I’m sorry to say there’s nothing new today. My website got hacked on Thursday. It was a particularly virulent attack, which made the site receive warnings from all kinds of places. If you clicked through those warnings, run your anti-virus software to make sure you didn’t get any nasty stuff on your own computer.
I’m still not sure if the hack was deliberate, meaning targeted at me. I’m waiting for the security firm’s report. I’m not sure if they’ll know. I’ve been the subject of several attacks this year, including a denial-of-service attack which came after a similar post to the royalty one I put up on Thursday, so I’m still not ruling out an intentional hack. But this attack did send folks to a Russian site, known for hacking websites with a lot of traffic, so it might have been simply a bot-related criminal attack. (There’s a sentence I never thought I’d type outside of science fiction.)
We’ve hired an internet security firm to prevent attacks like this in the future. In fact, we’ve hired two. So maybe we’re going to be in the clear from now on.
I’m not posting a free fiction story this morning. If you haven’t read last week’s, you can find it here. I’m leaving it up for an extra week.
I also want to thank all of the people who emailed me to let me know the site was down. That helped me discover the problem quickly. Thanks to everyone with tech skills who offered assistance. Major thanks to Ye Olde Website Guru who gave up his Thursday to try to resolve this. A big thanks to the Passive Guy at http://www.thepassivevoice.com, who used his large platform to get writers to spread the word about my royalties post. Special thanks to all the writers who mirrored my royalties post to get the information out. If this was an intentional hack trying to silence me, it failed. And thanks too to everyone who donated this weekend, and the campaigns to help me and Dean pay for the security service.
As stressful as this attack has been, you guys have all mitigated it 1000%. Your kindness and willingness to help has kept this from being a crisis, and indeed, constantly reminded me about the goodness in people. Thank you all.
I’m sorry about all of the inconvenience. I hope to return you to your regularly scheduled website later in the week. 🙂
I hate to tell you this, but my Kaspersky is picking up and blocking queries from that Russian site again right now. Each time I click a new page on your site, the warning is coming up. Sorry.
Yeah. I just found out this afternoon. The security service is on it, and it should be resolved. If I hadn’t opened up the site, we wouldn’t have found it. Apparently it’s really hidden. I have some folks from Microsoft working on it as well. It’ll get resolved. The irony is that the site is probably cleaner than it’s been in years, even with this. We’re just aware of it all now. I appreciate the heads-up, Catherine.
One more thing on that. I’ve been assured that pinging on my site is not downloading anything on anyone’s computer. It’s just an internal problem at the moment. I’ll let folks know if it gets worse. Frankly, I expect it to be resolved in the next 12 hours or so.
I did not check the situation thoroughly at the time.
As far as I can tell from the outside and the quick glance I took your site did not directly distribute malware. There were rather obvious redirects to suspicious sites which in turn could have distributed malware in turn, probably did. For some reason I got redirects to Google instead. Links to the sites were posted but I did not check them.
The more sophisticated attacks are much more harder to spot.
There are no obvious redirects or changes to the site. It is very common to limit the frequency of attacks to once per day and IP address. The reason for this is self explaining. If your antivirus program alerts you the alert will only happen once per day. If you reload the page or visit another page on the same domain -which most do- the payload is not delivered, you won’t get another alert and most people then think it has been a false alert and keep their mouth shut. The list of improvements goes on. IPs which are known to belong to AV companies (or governments, unless they are the target) won’t be attacked at all. It is also rather simple to exempt logged in Admins from attacks so that they won’t be alerted if they investigate complaints from their users.
The attacker may also try to tailor the payload to the browser, its plugins and OS the visitor uses which increases the chance to succeed…
The thing to remember is that distributing malware is a business of the multi billion variety and as a result the attacks get more and more sophisticated every day. – The inept ones are of course still around and continue to cause problems.
…sry for the digression, back to topic…
The PHP bug (CVE-2012-1823) was supposed to be fixed on May 3rd, the fix was incomplete and an exploit for this version has been released on the 4th via twitter. A quick search shows that a Metasploit module was released on the 5th. – Which is pretty much the definition of “This flaw gets actively exploited”.
The release of the actual fix was on the 8th. (CVE-2012-2311)
There have been various hotfixes via server reconfiguration in between.
So the timing fits and being a PHP exploit there is no need for a hole in WP or it’s plugins – but then there is no reason that this is the exploit which has been used.
You should know know much more once you have the reports. (Again, it’s the correct decision to get help once you knew that you (or your usual admins) were out of your depth.)
The lesson to learn for site owners is that sites do get hacked, malware gets distributed through them, and that keeping your mouth shut about it even after fixing an incident does not help your readers.
A lesson for everyone should be that if your anti virus program (or firewall, or whatever) throws an alert on a site it actually means that, even if a page reload won’t trigger the alert again. -That’s a sign of a rather sophisticated attack and thus only more dangerous.- And if such an alert gets triggered every other day? If you ask me that after reading through this much too long comment it must be a message from Captain Obvious. 😉
One more thing. A pet peeve of mine. Site owners… Please provide a direct tech contact on your site. If you site has been hacked and distributes nasty things I refuse to use the form mailer.
Thanks for the explanation, Chasm. I don’t know about a direct tech contact on the site. It would seem to me as suspect as the form. I don’t like having an e-mail anywhere else on the site. I’m active on Twitter, Facebook & Google Plus. Lots of folks let me know there, which strikes me as a safe way to do so.
However, the security firm we hired will check this site every four hours. Once we get a report, we’ll probably put the firm up here as a contact. Also, we’ve hired a second firm as well, and as soon as we’re sure we’ll stick with them too, we’ll have them on here also. So that will be a way to let us know there’s a breach.
Could have been targeted, but that’s unlikely. Maybe a hole in WP or a plugin. Impossible to tell without background information and competent computer forensics.
The timing also with an rather major hole in PHP which took quite some time to fix.
Wait and see. And thumbsup for handling this incident in a responsible manner! To many sweep such things under the rug, even if their site distributed quite sophisticated malware to their customers.
Thanks for the comment, Chasm. I try to help my readers with my blog, so the last thing I want to do is distribute malware, even accidentally! Still waiting for the report from the security service so that I know exactly what happened. The warnings are still up for many browsers, but I’m told that it’ll take a while for them to disappear.