The other day, one of my websites was defaced by a scripted hack. I’m still not sure exactly how they got in, but I assume I can thank the recently identified SQL Injection exploits such as this one since the hack was accomplished by replacing the footer values in my PHP-Nuke configuration database.
During the course of a normal day, my PC tends to stay logged into IRC. Unfortunately, I’ve been working on a project lately that requires me to login to a remote network using a VPN and the client security policy forces all my internet traffic through the VPN connection which is nicely firewalled. When I log in to upload my work and test, I have to disconnect all the little utilities and applications I use that constantly access my Internet connection.
This is important because had I not been offline working, I could have dealt with my problem a bit quicker. As it was, I only found out about it because one of my online buddies dug out my phone number from whois and called me.
I’m not going to glorify the hack or the hacker by any direct mention. The defacement looked like this. As far as I can tell, the intrusion was complete scripted. My guess is that the script googles a string that somehow identifies vulnerable systems and then runs the exploit against one of the unpatched entry forms.
Sadly, the latest public release of PHP-Nuke still hasn’t fixed the bug. I think I’ll be motivated soon to migrate that site off of Nuke and onto another CMS.