So, I updated blog.adamscheinberg.com to “revision 9” on Friday, and when I went to show someone last night, imagine my surprise when I found the whole thing hosed. The site was missing entire chunks – random, non-sequential directories, missing entirely.
I’ll spare you the details: I got hacked. Someone either brute forced their way into the admin site (which is now pretty locked down, until I figure this all out) or brute forced into SSH and uploaded several malicious PHP scripts. They are scary, I actually have them intact in a backup from a few days ago. How much has been revealed? My MySQL passwords? It’s impossible to tell. Virtually everything will need scrubbing.
In the meantime, excuse any wonkiness until all is repaired. The good news is this finally forces me to finish work on the new administrative area I’ve been playing with.
You should ALWAYS use an application which checks the SSH logs for attempts at brute forcing. I have such an app installed on my machine and I have set it up to allow 5 log-in attempts from a single IP, if they all fail the IP is blocked permanently. That may be a bit strict, but then again, I know I will not try 5 times always supplying a wrong password and there are no others who are even supposed to gain access than me.
After a third party has gained access to your machine, you can’t trust anything on there anymore. There is only one solution => reinstall the whole OS.
Seriously, running a machine that has been compromised is like getting in the driver’s seat of your own car every day. The thief might drive you to the location you want, but it might also do other things …