Gone phishin’ — against my will
Within a day of my announcing to the world that I was back in business, my host suspended my site. Since that suspension also took down my site’s email, I received no explanation for their pulling the plug until I sent them an anxious message on Monday.
I had assumed that some glitch had delayed my monthly payment, but the explanation was much worse and more embarrassing. Hackers had entered my web server space and inserted files that were sending out those misleading messages from “PayPal” about your account being suspended or canceled. Youch!
So, my hosts caught on, since their server was no doubt spending a lot of time sending out emails through their SMTP service. To protect themselves, they suspended my account and my site until we could correct the problem.
This blogsite lives alongside another, nearly dormant site of mine oriented toward computers. For several years now, I have been a reasonably happy and competent user of php-nuke, an open source content management system (CMS). Nuke has a well deserved rep for being a security nightmare, but with care and skillful coding by technically adept users, it can be made into a safe, reliable CMS.
Almost. Several weeks ago, hackers exploited a weakness in one of php-nuke’s scripts and slipped past my site’s defenses to essentially wrest control of the site from me. I corrected the problem and restored the site from backups, sure that I had closed all the holes.
Or so I thought. Both my host and I had noticed that extra directories and files had appeared in my webspace, so we deleted them. My host recommended I change my passwords, which I did for the CMS but not for cpanel (the control panel for the webserver) or for the databases that support the sites. BIG MISTAKE!
The earlier exploit clearly had enabled the hackers to get my cpanel password, so they could exploit my little share of the webserver. They added directories containing their PayPal phishing scripts (in several places, as it turns out), created a subdomain to direct hapless mail recipients to access and used my webspace to serve up spam.
Oh, the shame!
My hosts restored my site yesterday, after deleting what they assumed were all the offensive scripts. They changed my cpanel and database passwords for me, and allowed this site to come back alive again. Yay! The original CMS is still dead in the water, because of the password change, and may stay that way. I have an alternate site already in place.
My further investigation into the exploit turned up the same offending scripts in a few other places in my webspace, so my host did not exterminate all the bugs. I need to check a third time to make sure I have completely sanitized the site.
Meanwhile, php-nuke and I are parting company for a while. I’m ditching php-nuke for the foreseeable future in favor of Joomla, another open-source CMS that seems more secure. I already had a Joomla test site up and running, so moving the remaining nuke content over won’t be a headache. My host is cool with my keeping the nuke site, but they have the mistaken impression that later versions of php-nuke are more secure than the older ones. Nothing could be further from the truth. The newer versions (after 7.7, if you care to know) are accidents waiting to happen. I know. Believe me. I know.
———————————————-
PS: I would like to acknowledge the help offered by the following parties. Visit them.
Planet Earth Hosting (www.pehosting.com), my hosts, who are always quick to spot problems and are really nice to work with.
Castlecops (www.castlecops.com), computer security experts, who sent me an email advising me of the exploit on Monday. Unfortunately, since my site’s email was down, I didn’t get the message until after we fixed the problem.
