deadlock Message Board
[ October Full List | Reply ]

How we survived yesterday's hack
From michael at The Body Electric Mall on 21 October '98
Hello...this will be a bit lengthy, but I thought it would be of interest here, so here goes...

Yesterday, the Body Electric Mall was hacked. More specifically, our remote ISP was hacked, and since we reside there, we were the proud recipients of some interesting computer piracy. It started out at about 8 a.m. PT. I had to get two new sites uploaded to our domain for the purposes of a Yahoo banner campaign we had just undertaken. Now, before I go further, let me explain my role as 'webmaster'. I am technically not remotely qualified for such a title, but, as a trained graphic designer and writer, I oversee the look and content of the site, as well as interface with our marketing dept. on what should and shouldn't happen there. So I continue to live with this title, though 'design director' would probably be more accurate. Anyway, the guy I usually rely on to trouble-shoot code was off for the day, so I was fine-tuning these new sites to get them web-ready (more importantly, to get them ready for anyone who would hit off these shiny new Yahoo banners).

At about 9, I started getting 'forbidden access' errors as I tried to upload data. This kinda set me on edge. A 404 error, I could understand...maybe I just misnamed or mistyped a URL, but a 'forbidden error' meant there was probably something going on that prevented me from accessing my domain. Well, I switched over to another computer (a Mac, as it happens) and tried to access the files I already had via Netscape. "Forbidden access". Now I'm reaching for a dog-eared roll of Tums. So I try pulling up the Body Electric Mall at large. "Forbidden access". Not good. I would later find out that this was my hacker friend changing password protocols.

I called the ISP and detailed my findings. They gave me a big, unsatisfactory song and dance about having a server problem that should be corrected in a few moments. About 20 minutes later, I logged on again and found the Body Electric Mall, but neither of the two new sites. (Remember, my Yahoo banner campaign starts this very day and is contingent on these to sites being active). Also, all the time-sensitive data on the B.E. Mall is gone and replaced by ancient data...almost three weeks old. I suspect that my ISP is not doing timely backups, and I call them to tell them as much. Once again, I get the big song and dance about "well, we can't account for every server problem" and "you need to have that data backed up so you can just re-upload it when this happens". Well, of course I have accurate back-ups on my end, but it's a pain in the ass to be uploading data that should be sitting nicely in my ISP's backups. Takes time and computer resources. Besides, I'm the VICTIM here...I'd like some assurance that this is under control on their end.

Plus, something just wasn't sitting right. This sort of thing had been happening ever since I saw some mysterious .vti files appear in my domain some weeks back. I assumed that they were having occasional problems with the server, which would come online within a few minutes, and they just hadn't been backing up data properly. It hadn't really phased me until today (yesterday), when I desperately needed Yahoo to FIND these new pages. Now it was really bugging me. They told me "you must not be overwriting your data on the remote site". Well, I'm not the greatest web wiz of all time, but it seems to me that if I'm not overwriting data with the proper file-names, my links won't function. It doesn't take a brain-surgeon to notice that.

But I let it go and just worked to get the files back up. But something just wasn't sitting right. And I'm the type of person who, if things can be fixed, well then whatever, I'll live with an answer I don't find quite satisfactory on their end. As long as I have back-ups and Yahoo doesn't flush our campaign due to bad links, that's what I'm really interested in. Something was still bugging me though. So I called them up again later and just said "look, I don't want to beat a dead horse here, but I need to make sense of this" (I am, after all, stuck with this webmaster title). So we go around and around and they start to get pretty testy. So, I stopped the direction the talks were going and said "okay, let's slow down. We all can at least agree on the fact that none of us quite knows what the hell is actually happening here. Let's begin there and postulate on what IS going on." So my ISP speculated that we might be getting hacked. Well, fine...I'm willing to consider that. We have competitors, so it's within the realm of possibility, but I still contend that "my site is located at YOUR place of business".

About then, another person in my office pulled up the ISP's actual homepage and found it was dated September 28th. I communicated this to the person on the phone and they were like "that's not possible...there's no way". About then, I had this flash of what might be going on. I said, "you'd better get online and see if you can track any incoming data". Sure enough, he hung up and found he was being hacked through OUR router. Someone had dialed in via Telnet (thanks to a loophole in the system), hit our router, and while they weren't able to go back through our firewall to our local system here, which contains sensitive order and credit card info (and is frankly outside my area), they went right down to my ISP and proceeded to start uploading outdated data they had procurred in the previous weeks. Apparently, (and I haven't confirmed this yet, because it's my personal theory) my ISP had contracted some work to a person in Seattle who either used some Frontpage extensions or Active X as a backdoor into the system, or someone who got ahold of their equipment exploited this for a little virtual joyride.

Anyway, sorry to take up all your time with this, but I thought it would be of interest. To be honest, the scariest part was that I nearly let it go. If something hadn't bugged me enough to grind a satisfactory answer out of my ISP, I'd probably be offering June `98 Special Offers on my website right now. I think it pays to make people answer *all* your questions *to your satisfaction* when it comes to your online business interests. If I hadn't, not only would I be probably still be tearing my hair out today (and this guy could just flat be out of business).

Also, if any of you have further feedback, I'm more than interested to hear it. Thanks for taking the time to slog through this whole thing.

michael


Replies from other people:


Reply to this message

Required Details
Your name:
Subject:

Optional Details
Home page title:
Home page URL:
Email:
(if you'd like to receive
automatic replies by email)

Your Message