It started with a reused password. And it ended with 30 sites redirecting site visitors to a PC malware installer.
An agency was hosting all of their client sites, 30 of them, in a single cPanel installation. The agency owner also gave his clients administrative access to their sites.
One client was reusing a password that got exposed. The hacker logged in and went straight to the theme editor.
There, they edited that particular site’s 404 page, the page that a visitor sees if they request a nonexistent page, so that it showed a PHP-based backdoor. The hacker then used that backdoor to append a JavaScript redirect to the end of every JavaScript file in the entire hosting account.
The hacker likely didn’t know that they were compromising 30 websites. But the code was efficient. Because PHP for all 30 sites was running under the same server-based user account, every file in the hosting account was vulnerable. And every JavaScript file got that redirect.
It didn’t take long to clean up. A simple search and replace to remove the appended JavaScript set the sites back to normal.
Reviewing log files for 30 sites was the more mind numbing activity. It was there I was able to see login and 404 page editing that told the story.
What made this the worst hack was simply the sheer number of sites affected by such a simple intrusion.
What are some of the things we can learn from this?
🔑 Don’t reuse passwords. Passwords should be long and unique. You’ll need a password manager at this point. There are quite a few good ones on the market.
☝️ Isolate sites. Don’t host more than 1 site per hosting panel. If you are going to put numerous sites under 1 server-based user, make sure that you secure it tightly. (I know. Plenty of folks do this. Be prepared for the consequences if a single site gets hacked, all sites are at risk.)
🔐 Principle of least privilege. Did that agency’s customer need admin access? Likely not. Give your customers only as much access as they need to do the job that they have to do. Most of the time, that doesn’t include managing plugins, themes, or other higher level administrative tasks.
✍️ Turn off site editing. Once a site is in production, the likelihood of having to edit site layouts is pretty low. Turning off site editing would have made this hacker’s job much harder and the damage done much less.
🗄️ Backup off server. And, it also underscores that if a security plugin was installed, it would be been at risk to a script that tampers with it. If your backups are stored in the same space as your site, they’re also at risk of being tampered with. As well, there are a number of sensitive site data points stored in your backups. Always backup your site off server.
Are you dealing with a hack? Maybe you want to prevent one? I provide both remediation and auditing services. Contact me for details.
This post was originally a part of the Zantastic newsletter sent on July 14. Subscribe below.