Pwned

Yesterday, around 2pm, The Nottingham Hackspace website was broken into and all the content deleted.

Matt Lloyd and I spent a lovely afternoon before the members meeting trying to track down the various issues and identify the vector that was used to break in.  This is what we know so far:

  • The original break-in happened in early June, and injected a fairly well known zend_framework hack – no content was compromised at this point
  • It did, however, open up a big hole in WordPress
  • It also spread very effeciently – every writable PHP file on the server ended up with the injected code
  • Yesterday, someone (possibly the same person) exploited that hole to break into Dominic’s account on WordPress
  • They proceeded to delete everything
  • They then wrote us a very nice post entitled “SUM TING WNT WONG”

We (mostly Matt) have now restored all file, posts and pages and most images.  If you notice anything out of place, please let us know.  All wordpress users will need to change their passwords, and your permissions have been temporarily changed to “Subscriber”.  We will let you know when to change you password – there is still a bit to do yet.

Unfortunately, as the wiki and wordpress share a database, we have lost the last 4 days of wiki edits.

So, lessons learnt:

  • Keep your WordPress install and plugins up to date
  • Separate the wiki and WordPress databases
  • There are plugins available that keep an eye on the core WordPress code (such as “Exploit Scanner”)