July 08, 2002
A Fellow Blogger Hacked?

Some time in the last two or three hours, Lane McFadden's site was apparently hacked and taken over by someone called [name deleted], with a slogan that mentions "the f***ing Brazilian skill". Well, they didn't use the asterisks. Is "the Brazilian skill" anything like "the English vice" or "the Greek position"? If so, just what skill are Brazilians known for? Besides soccer, I mean.

If you click on their link to find out more about them (don't!), you get a message along the lines of 'Now you've given us what we want' and a cookie is put on your hard drive. (The wording is just a guess because I didn't stay long and have no intention of returning.) Of course I deleted the cookie immediately, but it still worries me.

Motive is unclear:

  1. Is this set up to help them steal passwords, credit card numbers, or other sensitive information? The cookie and the message suggest that it may well be.
  2. Are they just assholes who get a thrill from trashing someone else's site? If so, the cookie may just be a way of spreading fear for their own sadistic pleasure.
  3. Was it something Lane said? If other warbloggers get hacked, this hypothesis becomes much more likely.

Three more questions for people who know more about these things than I do:

  1. Other than making sure our files are all backed up and deleting the damned cookie, is there anything else we can or should do to protect ourselves?
  2. How much damage could they have done with the cookie in the 15-20 minutes it was on my hard drive?
  3. Could someone who has his e-mail address or telephone number please let Lane know, just in case he's been off-line? If he has anything to tell us about the attack that we should know, I'll be glad to post it here.

Update: (6:33 PM)

Lane's site is back up, apparently none the worse for its temporary hijacking, with no report on what happened. I've deleted the name of the hackers from this post, along with their slogan, not wanting to give them any glory -- or attract their attention, either. Readers may e-mail me if they really need the information. Otherwise, I'll let the post stand pretty much as written, on general principle.

Update: (11:22 PM)

Lane's report is up, too, also some remarks in my comments.

Posted by Dr. Weevil at July 08, 2002 04:56 PM

Cookies are not, so far as I know, a serious problem. They do have the potential for allowing someone to track you in certain pernicious ways, but I'm not aware of any cases where a cookie can lead to a direct security break.

On the other hand, at least one of the viruses moving around out there right now has, among its other kinds of spread mechanisms, the ability to spread from a web site to a user's computer via an ActiveX control. If the computer in question is also a web host, it then becomes infected, and it may also try to spread itself through one of the classic Outlook exploits.

I have not visited the hacked site, but I'm more inclined to think that they're just trying to play mind games with you.

With respect to protecting your own site, backups are a good thing. Keeping your server up-to-date on patches is a good thing. Keeping a low profile is a good thing. Being careful about what kinds of programs you run is a good thing. (If you're using "formmail.pl", get rid of it.)

But keep in mind: the ocean is large and you're a very small fish. And there's no such thing as perfect security. (Which is why backups are a good thing.)

Posted by: Steven Den Beste on July 8, 2002 05:18 PM

Thanks, that's somewhat reassuring.

As for server patches, you do mean only if I'm hosting my own site, rather than letting Earthlink do all that, right?

And I wonder whether keeping a low profile includes not mentioning the bastards' site-name here.

Posted by: Dr. Weevil on July 8, 2002 05:22 PM

Status report:

The result of the hack was the replacement of my index.html page with another. I just copied my backup on top of theirs (after mailing a copy of theirs to my host provider), republished with MT, and voila.

I've done what little bit I can on my end, but don't know what security loophole was exploited so until I hear that (which, needless to say, I will not mention in detail publicly) I don't have much to report.

Posted by: Lane on July 8, 2002 08:16 PM

Unless they're those darned Travis Tritt Horse Hackers I think you're probably OK....

Posted by: Martin on July 8, 2002 08:18 PM


Problem resolved, host provider not to blame, recurrence unlikely, the remainder of the blogosphere has nothing to fear. Not a personal/political attack at all, simply the result of running on an educational institution's notoriously lax network. Cheers.

Posted by: Lane on July 8, 2002 09:16 PM

Wait a sec...in all the hoo-hah, I neglected to notice your headline: "Warblogger hacked." "Warblogger?" Ick! Seeing as how about 3% of my posts are war-related, I prefer the term "Vanity Site Operator" or even "Cute-as-a-button Blogger."

Posted by: Lane on July 8, 2002 10:47 PM

Sorry about that. Fixed now. I don't consider myself a 'warblogger' either, and usually try to spend more time thinking of an appropriate title.

Posted by: Dr. Weevil on July 8, 2002 11:29 PM