Conversation with a hacker – in the WordPress .htaccess file

Every once in a while WordPress sites get hacked.

It can happen for a number of reasons but it’s usually due to either insecure themes or plugins which use code that was poorly written and/or code that has not been maintained or updated.  The key point to this is to make sure that the themes and plugins you use are actually supported.  I actually prefer plugins that are “for pay” and maintained.

I also make sure to maintain incremental backups every 6 hours, daily, weekly and monthly for up to 6 months.

Anyhow for the last several months we’ve been dealing on and off with a link hacker. At times he’s taken down a site and we’ve restored a backup. None of the scans showed the exploits he was using and the logs didn’t provide the information that we needed to identify him or the exploit. (This one was actually built into the theme a hosting client was using.)

Anyhow, yesterday during a routine check I noticed that some link pages were up on this site again. So I made some changes to the files and killed them. A few minutes later they were back and this continued for about 30-45 minutes where to my surprise the hacker started to engage me in conversation in the .htaccess file.

Curious and not sure if this was part of a more elaborate script I decided to respond back. And then the fun began.

I did this to bait him for two reasons: 1) I was trying to get him to open up and identify himself which I knew wasn’t likely, and 2) I was trying to get him to communicate enough so that we could monitor the log files and figure out which IP(s) were him. We were actually able to find 5 different IPs that he was cycling through trying to be stealth – of course, all using proxy’s.

#do not make me angry
#why?
#I do not want to harm your site,but if you do not calm down…
#I’m very calm and I like to play…
#I like you dude
#Then why are you fucking with my friends?
#you’re gay? lol
#tell my wife… my life might be easier.
#how old are you?.
#I don’t understand?
#I’m 43 – how old are you? – This is actually kind of fun…
#I’m 32  – This is actually kind of fun and for me…
#:)  I used to do what you do – but long before the internet.
#No, but do it before the internet was impossible
#I started in 1981 with a Commodore 64 – right before you were born….
#I have to leave right now,I was very glad to talk with you…
#Do you have to go to work now? – Curious if the links pay well?
#this is my job – not bad
#cool – curious if I can hire you for some security work some time? I do this site for a friend so I don’t get paid to help them.  But I have other paying clients.
#talk to you later,in an hour.
#OK
#I’m here
#I see…
#how much you earn per month?
#probably much less than you.
#my job is profitable but very nervous,not all such nice people like you…)
#Is it often that you engage people in the .htaccess file? Curious how often they write back…
#you are the only one who answered…)
#At first I was curious if it was part of a script – so when you answered back I figured why not?  How long have you been in this line of work?
#4 years
#Cool… The proxy you are using has a reverse IP from Turkey.  I’m in California. Figured you were in Turkey or France.
#if you have good websites they can earn good…
#so where do we go from here?
#in sense?
#I don’t know.  For my friends I need to secure their site.  At the same time you may have some knowledge that could be valuable to me and others so I’m wondering if I could hire you from time to time to try to hack sites and let me know if they are easily exploitable.
#I myself did not break anything, I buy from other compromised sites
#but if you have a server where the good sites that we could cooperate.
#I’d love to say yes and make more money but my friends would probably not want to do it. And the outbound links cost them SEO value as well.
#these actions do not harm the sites, and I have stamped links to these sites that affects good for seo.
#but they show up on site:[website].com and it makes them look like they are selling drugs
#it sees only those who need drugs – and site admin…)
#I can’t do it.   Are you available to try to hack sites for a fee? Hey – are you Czech?
#I wrote that I did not hacked sites I buy from those who hacks – No.
#Oh, I see.  What kind of CPMs do you usually get?  I do have some other sites
#they pay me% of the purchases,if you have a good site, you can earn a month 500-1000 $
#OK you can email me at [email address] – but for this site I need to clean it up.  I’m sorry man. I don’t own it and they don’t want the ads or spam emails sent. ;(
#do not do it.
#I have to… I’ve enjoyed chatting. Feel free to email me.  I’m locking you out now.  Goodbye.

After identifying his IP addresses we were able to crawl through the log files and see all of the files that he touched – even going back to March.  We deleted and all non-critical material and then proceeded with fresh installs of everything.

Now it’s only been ½ a day since the event and we’ve seen him continue to attempt to infiltrate the site – but so far he’s been unsuccessful.  Even better, because we are monitoring his IP’s we are watching to see everything that he’s trying so that we can test his methods against all of our client sites.

The 4 Year Rise of Mobile (Android/iPhone)/OSX and the Decline of Microsoft Windows OS (w/ stats to prove it)

The 4 Year Rise of Mobile (Android/iPhone)/OSX and the Decline of Microsoft Windows OS (w/ stats to prove it)

This morning I ran across an article on Digg about OSX 10.7 (which I’m pretty fired up about) – and it got me wondering…

What does OS usage look like on one of my more popular sites and what are the implications for the development community as it adapts to consumer use?

For stats I’m using one of my sites called RinkTime which is a directory site that helps skaters find rinks throughout North America. This year it’ll serve 5,000,000 visitors.

Anyhow, the best part of RinkTime vs. a lot of the other sites who report traffic, browser and OS numbers is that it’s audience really is middle-American families – and I think it demonstrates a pretty good cross spectrum of users – unlike a lot of sites who cater to a technical or business crowd.

So, here’s what we’ve got.

Starting with 2006

Microsoft Windows OS 2006 RinkTime.com Operating System StatsDominance with a 94.48% visitor-share… Apple/Mac had just 5% of the visits and Linux a measly 0.18%.

2007 & 2008

2007 RinkTime.com Operating System StatsAlso notice that PalmOS which registered 0.02% in 2007 and 0.05% in 2008 has disappeared. Blackberry which didn’t register until 2009 with 0.16% grew to 0.59% this year.

2008 RinkTime.com Operating System StatsBut the BIG movers are the iPhone/iPod (and soon to register iPad) devices…

In 2007, the iPhone registered just 0.07% of our visitors. That grew to 0.62% in 2008 turning it into our 3rd most popular OS behind Microsoft and Apple in 2008.

2009 – The Year of Mobile

2009 RinkTime.com Operating System Stats2009 was truly the Year of Mobile though in the US with the iPhone growing to 1.77% of our visitors and iPod growing to 0.53%. 2009 was also the year that Android debuted with 0.40% visitor-share.

2010 in Summary

2010 RinkTime.com Operating System StatsThis year to date, January 1, 2010 through June 5, 2010 it looks like this…

Microsoft is still in the dominant position with 82.23%, but has taken a huge hit with Apple growing to over 10%. And when you combine Apple OS, iPhone, iPad and iPod Touch, Apple owns over 14%. And Linux even being considered an “experts” OS (simplified) has doubled in use. (Most may not consider it being worth mention however I think that’s an important stat.)

Android is making gains on the iPhone visitor-share with a 1.33% share – iPhone usage has grown to a 3.07% share.

Trends – January vs. May, 2010

2010 RinkTime.com Operating System Stats

Finally, lets look at January, 2010 vs. May, 2010 for a picture of today which we can use to establish a trend for mobile and Android‘s rapid growth due to Verizon’s adoption of the Android OS as well as the other carriers.

January vs. May 2010 RinkTime.com Operating System Stats

The iPhone during the 1/2010 to 5/2010 still grew from 2.87% of our visitors to 3.16% (+0.29%) but the Android use grew from 0.99% to 1.79% (+0.8%). It’s all pretty interesting – but the bottom line is that when we build websites, we must be aware of the growth in activity of mobile – and design for these devices as well as the standard and ever changing OS environments.

In my next post, I’ll let you in on something big – the future of search….The ultimate measure that any and all search engines will use as a basis for who ranks for what…

Jim Rohn – He Will be missed…

“Failure is not a single, cataclysmic event. You don’t fail overnight. Instead, failure is a few errors in judgement, repeated every day.”

Those are the words of a wise man by the name of Jim Rohn.

Jim was a motivator, an inspiration, a teacher of wisdom and a guy who just made common sens out of things which many of us just find confusing because they are so damn basic.

If it weren’t for Jim, we’d probably not have Tony Robbins and literally hundreds or even thousands of other life changing people who have influenced hundreds of millions.

One of many things he said that I constantly need to remind myself of is this: Give whatever you are doing and whoever you are with the gift of your attention.” Jim Rohn

When times are tough, it’s guys like this who help get us through.  Watch these three quick clips of him doing what he did best.  He’ll be greatly missed.

Read some great quotes by Jim.