Another client of ours suffered a minor hacking attack, and I thought I’d take a moment to let you know how we think it was done, so you might be able to avoid it yourself.
Susie was editing a client’s site recently (for the purposes of this attack, it doesn’t matter which one) and noticed that in the content management system, ExpressionEngine, there had been a number of nearly invisible links added to many of the templates, including the footer.
What was added, was a one pixel image, that linked from the client’s site to a site that offered recipes—chicken recipes, to be exact. That site had zillions of Google ads, and not much in the way of content. The site was owned by someone in Romania with a Gmail address. It was essentially a site whose sole purpose was to gather searchers looking for recipes, which are a commonly searched item online, and turn those searches into cash.
In addition to the template changes, there was also a small graphic added to the client’s images directory. So whoever did the hack had FTP or file-level access, as well as access to the database.
All in all, it was an almost undetectable hack, with very little consequence to the site in question—all our client’s site was doing was giving this chicken recipe site a boost in search engines, by pointing links to it from every page. We figure that the change had been in place for at least several weeks, perhaps longer.
We immediately changed every password on that server—EE passwords, FTP passwords, and email passwords—and removed all the links, which was a bit of a whack-a-mole hunt.
We’re almost certain that the attacker first got the FTP password, and from there identified the EE database password by looking through the files. He (hackers are usually ‘he’s) then inserted the code into EE directly by accessing the database. There’s clear evidence that the EE interface was not used to insert the recipe links.
So, how did the attacker get the FTP password? Well, that’s unclear. But if you use regular FTP, there are many points between your computer and your server that the password, which is sent unencrypted, can be captured—from intervening routers, from an unsecured wifi network, etc. So starting immediately, we’re going to start using SFTP for every client, for every connection. (We had been using SFTP for some sites, but not as a universal policy.)
If you still use regular old FTP, you’re taking a risk that simply doesn’t need to be taken—like leaving your keys in your car.
And if you’re using EE—it looks like there’s at least one sophisticated hacker out there who can figure out how to subvert your EE installation simply with database access. EE is as secure and safe as any system I’ve used, but if it’s on an unsecured server, it’s just as vulnerable as the worst software out there.