This blog has seven days to get hacked

I’m speaking at Wordcamp Albuquerque 2013 a week from today.  My session is called Hacked!  How they hack it and how you clean it where I’ll dissect a real-life WordPress hack and show everyone how I suavely and bravely root out the hacker, sleuthily determine how he got into the site, and then kick him out and slam the door behind him.

However, there’s a problem.  I figured there would certainly be a WordPress hack on one of our hosted customer sites between when I signed up for the talk a few months ago and now.  I’ve waited and waited, and shockingly, all of our customers have listened to us and have been keeping up with their WordPress updates.   So we haven’t had a single WordPress hack to clean up.

So I need this blog to get hacked.  The sooner the better.

Oh, and to speed this thing along and I’ve reverted this blog’s WordPress code back to WordPress 3.0.  This blog currently has more vulnerabilities than a president asking congress to approve a bombing on a mideast country.

I’ll update this blog and our twitter account with daily updates on my situation.  Stay tuned.   This could get interesting.  Or embarrassing.

How many visits can a virtual server handle?

 

There are a lot of variables that go into how many hits and visits a virtual server can handle; from how efficient the site’s code is, to how beefy the host server is, to how over-sold the host server is (among other things.)   Regardless, I still thought you might be interested in seeing some real numbers from a popular web site that we host on a virtual server:

Month Total Visitors Visitors per Day Unique Visitors Unique Ratio Pages Hits BW
April 2013 285,598 9,519.9 183,722 64% 3,521,151 31,729,312 1,149.2G

 

In April, on a 4GB RAM virtual server, this site served pages to 285,000 visitors and had 31.7 million hits.

Breaking this down further we might assume that a similarly coded web application could handle about 70,000 visitors on a 1GB RAM ($39.95 per month) virtual server and about 35,000 visitors on a 512MB RAM ($19.95 per month) Brownrice virtual server.

 

What security tools do we use?

Clamav

Clamav

 

What tools does Brownrice use to alert us to a compromised hosted web site or server?  Let me show you:

OSSECA great open source tool that constantly monitors server log files and file systems in real-time. OSSEC’s log monitoring helps with an important part of PCI Compliance, it can be configured to automatically block bad guys from doing bad things, and its a fantastic tool for post-mortem hack analysis.  We have OSSEC installed on all of our hosting servers, virtual servers, and managed customer servers.  It reports back to a mother-ship server so we can keep an eye on things from a central location.

Continue reading

Remember rootkits?

Five years ago we were constantly fighting off hackers who would hack an insecure web site then try and install a rootkit so that they could own the server. Now? Nothing. They don’t even try and attack the server. We have all sorts of rootkit detection software on our servers (rkhunter, OSSEC, etc.) and I’m starting to wonder why we bother when a hacker has everything they need when they’ve compromise a web site.

WordPress hack post-mortem

Yesterday morning we had a client who’s got a site on a virtual server email to say:

Hi Oban –

I just had a business colleague say that he went to my site, got a malware warning, and his entire hard drive was wiped out instantly.
Hard drive instantly wiped out instantly?!?  Pa-leeease!
Nonetheless, this is a WordPress site so Dave looked through the code and didn’t see anything immediately out of line.  We both visited the customer’s site and neither of our hard drives were instantly wiped out (we are craaazy risk takers!)   I also looked at what Google’s Safe Browsing site currently thought of our network – which was that everyone was clean a whistle.
Dave emailed the client to say that this sounded like a false alarm but to keep us posted.   I decided to run the site through Sucuri.net’s free site scan and bingo! a javascript exploit was found.

Hacker extraction – New personal best: 10 minutes!

Last night, just before turning off the lights and harassing my wife, I received a text message from our server monitoring software saying that the mail queue on one of our shared web servers had suddenly spiked.  Lots of emails being pumped out of a shared web server is almost always the sign of something bad.

10:25pm

Logged into machine and examined one of the emails in the mail queue.  Because we roll our own PHP its compiled with a patch that inserts the full path to the script that sent the email. Years ago, when we didn’t have this patch installed, determining which site and/or script sent an email could have taken hours – or be nearly impossible to figure out.   Here’s what the mail header looked like (note: the actual web site address has been modified to protect the client):

Continue reading

Another fantastic year of uptime

Just another year of practically perfect network uptime.  How many 9’s was it exactly?  I dunno.  However, this is starting to sound redundant.  Our 2010 and 2011 uptime was also somewhere around 99.9999%.

Speaking of uptime, in case you aren’t aware, our network is “fiber cut proof.”  What does that mean?  Two of our upstream connections are via large capacity fiber optic cables, while our third is via high capacity, high speed microwave radios (the exact same technology that high speed financial traders use).  So if our two fiber cables get cut we can push all of our traffic through our backup microwave connection, and your site and email don’t miss a beat.

Mass hacks – Not in our House!

From a recent Slashdot article:

More than 70,000 websites were compromised in a recent breach of InMotion. Thousands of websites were defaced and others had alterations made to give users a hard time accessing their accounts and fixing the damage. A similar attack hit JustHost back in June, and in a breach of Australian Web host DistributeIT just prior to that, hackers completely deleted more than 4,800 websites that the company was unable to recover. The incidents raise concern that hacker groups are bypassing single targets and hitting Web hosts directly, giving them access to tens of thousands of websites, rather than single targets. While the attacks have caused damage, they weren’t as malicious as they could have been. Rather than defacing and deleting, hackers could have quietly planted malware in the sites or stolen customer data. Web hosting companies could be one of the largest holes in non-government cybersecurity, since malicious hackers can gain access through openings left by the Web host, regardless of the security of a given site.

We’ve already closed these holes.   Are you really still hosting your sites with the volume-based hosters!

~ Oban