Little Weasels You Want To Choke

By
Services for Real Estate Pros with API Network

Years ago, hacker implied "very smart person" but today it's often "smart person you want to choke."

Over the last few days I've spent many hours cleaning up the mess left behind by some guy that "wanted the challenge" of erasing some useful data, then replacing it with his own.

His method of attack: Stealing/sniffing admin passwords.

What a little weasel.

Open source software like WordPress, Joomla and thousands of others all have one thing in common: They have a screen where you enter an ID and password to control your site.  If weasels get hold of your login info, you too will be wanting to choke strangers many timezones aways.

When a site gets hacked, there are specific steps you take to get things back to normal.

1. Curse

This is the universal starting point, much like karate students use the "hee-ah" just before breaking a board. A good curse clears the mind, steadies the hand, but mustly just comes out because getting hacked almost always never comes at a convenient time.

2. Lock the site

It's a crime scene, so just like in Law and Order, get out the yellow tape and keep others from mucking up your evidence. I usually put up a message like, "We are upgrading today" followed by a smilely face. Not that he's watching, but you don't want to give the hacker the satisfaction of knowing how you really feel.

Note: If your site held important data, take the WEBSITE off line, not just the application. e.g., If you stored consumer credit info on your Wordpress, suspend the site, not just WordPress.

3. Assess damage

Sometimes the little weasels only change your home page. Another common/irritating payload: inserting Viagra and Xanax ads as posts or entries into a guest book. In addition to determining what they changed, you want to learn how they did it. Think of it as a burglary. You walk around to find out what's missing then figure out which door/window they used to gain access.

4. Fix it

If you have a pre-hacked backup of your data, then it's a simple fix. Absent that, return to Step 1. Also, keep in mind "pre-hacked backup" means the backup was before your site was compromised. In some cases, I've seen hacked sites that went on running just fine for a month ... so by the time it was discovered, every backup was a different copy of the hacked site.

My Tips For Choke Avoidance

Tip 1: Don't Use Weak Passwords

A friend called me last week with some degree of panic. Their Wordpress site had been hacked on the 29th of July at about 7AM EST. I know this because the hacker reported it. That was so polite.

I'm not really sure what happened, all I know is that the site was defaced and data deleted. The hacker logged in as the admin, entered the correct password then acted like a fully disgruntled employee by deleting all users, all comments and about half the posts. Before they left, they uploaded their own home page so it was clear they had been there.

Within a few minutes after they finished, they headed over to Zone-H to report their accomplishment. (yes, there are sites dedicated to collecting information about attacked websites, and in many cases, the hackers are the ones reporting the crimes)

The hacker that vandalized my friend's site had done six others (all Wordpress) that same day. (maybe more, but that's all he reported to Zone-H)

I'm not really sure how he gained access, but I did confirm the admin password was weak.

Tip 2: Be Careful In WiFi Coffee Shops

99% of the time, when you are logging into your website control panel, you are sending your ID and password over an unsecured http connection. If your site is important to you, and you make changes from public locations, spend the $20 and encrypt the connection by adding an SSL certificate. (So you login via https) Another way: Use a Verizon/Sprint card to connect as sniffing data there is much more difficult.

Tip 3: Cancel Accounts When Employees Leave

Kill IDs as soon as they depart. Even if they weren't disgruntled, it's a door you don't want open. If you have to terminate someone, then cancel their IDs before they're released. There are many websites where the disgruntled can anonymously publish IDs and passwords so weasels can take credit for "cracking" your security.

Tip 4: Don't use Admin as the ID

Often when software is installed, admin is the default ID. Change that. Weasels need two things to get into your site: ID and password, If you use admin, you've already given them half of what they need to make your curse.

If you want to read more about what to do if you've been hacked... click me

close

This entry hasn't been re-blogged:

Re-Blogged By Re-Blogged At
Tags:
security

Spam prevention
Show All Comments
Rainmaker
3,238,620
Sally K. & David L. Hanson
EXP Realty 414-525-0563 - Brookfield, WI
WI Realtors - Luxury - Divorce

Thank you for your words to the uninformed....that would be me....of only I had time for a coffee shop....ahhhh.....business is good and I wish you the same across the border...and good luck with those weasels...!

Aug 04, 2008 12:29 AM #1
Ambassador
517,389
Stanton Homes
Stanton Homes - New Home Builder - Raleigh, NC
Design/Build Custom Home Builder in North Carolina

Thank you for a reminder on how important it is to have the correct passwords - and to back up all those posts!

Aug 04, 2008 12:32 AM #2
Rainmaker
224,194
Nancy Larson
I am a licensed referral agent in NJ - Hutchinson Island, FL

wow, Great advise, Wish I had it a month ago before someone jumped into my computer. I had a systems/32/crc error and all it did was reboot. A friend who was Microsoft Certified had me go into BIOS change something so I could restore, but I lost everything. My computer is encrypted through the bank but once I get off their system, I am on my own. I would want all computers in household to be safe. So what is next?

Aug 04, 2008 12:33 AM #3
Rainmaker
432,091
Anne Hensel
South Beaches Real Estate Professionals - Saint Petersburg, FL
Realtor - Broker - St. Pete Beach, Treasure Island

why on earth would anybody mess with my website? I will never understand this (I am blond)

I have the strangest thing happening, there are some of my blogs you can find on Google and when you click on them you are taken to E Bay. . . . . .and all of a sudden instead of real estate info you are asked if you want to buy a purse. . . .

Aug 04, 2008 12:50 AM #4
Rainer
32,280
Evelyn Panning
Property Connections Realty Inc. - Alturas, CA

We used to have graffiti on buildings now we have hackers messing with our livelihood ! ~Evelyn

Aug 04, 2008 12:53 AM #5
Rainer
67,383
Dana Couch-Davis
Kendall Haney Realty Group - Memphis, TN
CRS, GRI, ABR, SRES

Thank you for the wonderful post.  I've had that to happen a couple of times and I find it very annoying.  For me it was just someone having "fun"!

Aug 04, 2008 01:01 AM #6
Rainer
120,529
Carol Swain
Keller Williams Real Estate - Langhorne, PA
Realtor, -www.swainsells.com- Bucks County, Pa

Thanks for the tips.  I don't understand why people (hackers), want to do this to people.  Why would someone create to virus?  I just will never understand.

Aug 04, 2008 01:54 AM #7
Rainer
26,353
Kasey Kase
API Network - Mequon, WI
I'm not really a pirate

Nancy:  Being safe at home ... depends where you live.   I'm now sitting in a coffee shop where my laptop shows over 30 wifi access points.   At home, I'm lucky to see even one neighbor.   Best rule of thumb:  Never use any public terminal/PC for anything important and only connect to important sites via https.   Firewalls and all that anti-virus stuff can sometimes be just as bad as what you're trying to avoid.

Anne:  That's what's called being hijacked-- another form of being hacked.   It happened to Al Gore last year, which headlined as another inconvenient truth.    Call your tech person.  Clean-up of this type is usually pain-free requiring very little cursing.

Carol:  Some hackers consider this art, but most are just losers with an ax to grind and/or too much time on their hands.

Aug 04, 2008 02:24 AM #8
Rainer
13,942
Hollis Tidwell
MoneyCafe USA,llc - Denver, CO

Is it a problem to change the adm or does it screw up anything els in the system? Thanks

Aug 04, 2008 03:30 PM #9
Rainer
26,353
Kasey Kase
API Network - Mequon, WI
I'm not really a pirate

Hollis:  In Wordpress you can't change the userID from within the program, you can only change the password.   To change the ID, you would need to go directly into the database.  In Joomla, you can change the ID and password from the program.

Update ...   I just checked the site that had been hacked and yesterday the little weasel had changed the admin ID back to his email address.    This would indicate he left a program on the site that he can run to have it report the contents of the table that holds the ID and password.    (This is why when a site is hacked, a full reload is often necessary)   

Weasel returns

Aug 04, 2008 07:45 PM #10
Ambassador
1,922,438
Hannah Williams
Re/Max Eastern inc. - Philadelphia, PA
Expertise NE Philadelphia & Bucks 215-953-8818

Thank you so much...i had someone go into my website and erase  and change my keywords and SEO... I was wandering why i was not coming up in the search engines. I was before ...I was really up there in google search .and i disappeared ...I was hacked..

I have my suspisions but don t know how to prove it?????

google

Feb 19, 2009 01:20 PM #11
Rainer
26,353
Kasey Kase
API Network - Mequon, WI
I'm not really a pirate

Hannah:  Would not bother trying to find out who did it.   Unless your site was configured to log all accesses, it's going to be needle-haystack stuff.    You don't care about who, you care about how.  While you might be able to go in quickly to fix, keep in mind that once you're hacked, it's like someone who stole your car and made a set of keys.   If they did it once, they could do it again.   So your mission should be to make sure your site is secure, then repair the damage.

Feb 20, 2009 03:41 AM #12
Ambassador
1,922,438
Hannah Williams
Re/Max Eastern inc. - Philadelphia, PA
Expertise NE Philadelphia & Bucks 215-953-8818

I did change passwords ..like changing the locks..l..so i guess that mission was accomplished..

thank you for your help and quick responseactiverain blog

Feb 20, 2009 04:00 AM #13
Show All Comments

What's the reason you're reporting this blog entry?

Are you sure you want to report this blog entry as spam?

Rainer
26,353

Kasey Kase

I'm not really a pirate
Ask me a question
*
*
*
*
Spam prevention

Additional Information