Unfortunately I am a trusting person…. usually… I trust people until they have proven me otherwise… Once the trust has been broken, similarly to everyone else, it is very difficult to get back. As in the physical realm such as it is in the virtual world….. trust issues are at every corner. We put a lot of trust in the people we deal with on a daily basis. Everyone from the people who host my machines to the plugins created for my wordpress installs and the permissions you give Facebook apps.. You don’t realize how vulnerable you are at any given time… do you really know what information they are gathering when you press the “agree to access my information” button on any given app?
With that in mind I became aware that one of my sites (albeit dormant) was involved in a phishing scam. I received a message from RSA.com on behalf of Citibank bringing my attention to the event. Little did I know that it was the beginning of a string of infections that brought my server to a standstill. This particular server holds about 33% of my virtual inventory… so it was a big deal being offlline for over 24 hours. I must give kudos to HostForWeb.com though, they are THE BEST at customer support….. I am a high maintenance customer yet they have been nothing but prompt and courteous during my entire tenure working with their company, which has been several years.
They did a security scan of my server (something I should be doing on a regular basis anyway) and discovered exploits in a plugin that I have been using for quite a long time….. here is a partial transcript of what they found…. I’m not going to bad mouth the plugin until I gather more information, but from my research I am not the only one who has had difficulties…. they have been accused of several shady practices… but again, I don’t have enough info to support any claims… I just know that my server was shut down for at least 24 hours while this mess was cleaned up….
{HEX}php.generic.cav7.391 : /home/ab25/public_html/rulz.php
{HEX}php.cmdshell.cih.214 : /home/ab29/public_html/vide.php
{MD5}gzbase64.inject.unclassed.429 : /home/bus1/public_html/wp-content/plugins/easy-adsenser/easy-adsenser.php
{HEX}php.cmdshell.cih.214 : /home/cc5/public_html/vide.php
{HEX}php.cmdshell.cih.214 : /home/fit2/public_html/vide.php
{HEX}php.generic.cav7.391 : /home/fit2/public_html/rulz.php
{HEX}php.generic.cav7.391 : /home/ip47/public_html/rulz.php
{MD5}gzbase64.inject.unclassed.429 : /home/mycon/public_html/wp-content/plugins/easy-adsenser/easy-adsenser.php
{HEX}gzbase64.inject.unclassed.14 : /home/mydonut/public_html/wp-content/themes/simpsons-donut-10/functions.php
{HEX}php.include.remote.436 : /home/mydonut/public_html/wp-content/themes/simpsons-donut-10/header.php
{HEX}gzbase64.inject.unclassed.14 : /home/mydonut/public_html/wp-content/themes/simpsons-donut-10/footer.php
{HEX}php.include.remote.436 : /home/mydonut/public_html/wp-content/themes/simpsons-donut-10/theme_admin.php
{MD5}gzbase64.inject.unclassed.429 : /home/mydonut/public_html/wp-content/plugins/easy-adsenser/easy-adsenser.php
{MD5}gzbase64.inject.unclassed.429 : /home/mydonutr/public_html/wp-content/plugins/easy-adsenser/easy-adsenser.php
{HEX}gzbase64.inject.unclassed.14 : /home/mygolf/public_html/wp-content/themes/THATgolf/footer.php
{MD5}gzbase64.inject.unclassed.429 : /home/mygolf/public_html/wp-content/plugins/easy-adsenser/easy-adsenser.php
{HEX}base64.inject.unclassed.7 : /home/mymarket/public_html/wp-content/themes/blue-zinfandel-enhanced-20/footer.php
{MD5}gzbase64.inject.unclassed.429 : /home/mymarket/public_html/wp-content/plugins/easy-adsenser/easy-adsenser.php
{MD5}gzbase64.inject.unclassed.429 : /home/ourtrip/public_html/wp-content/plugins/easy-adsenser/easy-adsenser.ph
All is well but I’m in the process of removing this plugin from my entire network….. which has proven to be very tedious.
So what have I learned from this mishap?
1. I wish there was a “black list” of sorts that a plugin can get on if there has been anything shady going on with it. You put your domain at risk if you deal with a bad plugin. I think I may create something myself….
2. This reaffirmed in my mind that if you can afford it and have the necessary scale, that you’re better having someone create the plugins needed (there are about 10 core plugins I use) that way there is complete control of the code. Once you have the code, hire someone else to check it to be clear there is no funny business going on. Have checks and balances so to speak. When you install free plugins, there is often a reason they are free.
3. HostforWeb is awesome and top notch in customer service… trust me, I’ve been with MANY providers.
4. It’s important to have redundancy…. If I had these sites on another server or vps so when I had a problem with one, it switched to the other I would have very little down time… Of course the problems I found on one server would have to be fixed on the other one… I could focus on the biggest ones and not necessarily all of them…
5. Double check everything and everyone! Have a checks and balances system in place, something I have actually been working on!
For God’s sake, think twice before giving that cute Facebook app permission to access your information! Don’t assume that Facebook is doing their job at protecting your online safety!
Security is a big deal online and I think sometimes we don’t take it seriously enough…. We allow online scripts and apps to access our Facebook and other social media passwords all along being exposed to the threat that we may have given them the keys to the kingdom. In my case, this exploit just needed my master server password… how it got it? I’m not certain, but it could have been everything from a root kit installed on mine or one of my partner’s computers to a facebook app….. think you’re SAFE because you primarily use a Mac or Mobile device? Keep thinking that…. but you are certainly WRONG. In the end, be careful out there and never assume anything, it’ll get you in trouble every time!
