Thursday, January 1, 2015

Blog-Hacking Bingo

Ever have your blog hacked?  I haven't, at least as far as I know.  The closest I've come is having one targeted by one (or more?) of those annoying spam comment spewers, and having to install captchas to filter it out.

However, an associate of mine thought hers had been hacked a few days back.  Our back and forth about it got me thinking about how you'd detect such a thing.

The most important thing is knowing your investigative tools:


Got Google Analytics installed, or something similar?  If not, you should, and not just to troubleshoot weird behavior.  Hopefully you knew this already.  This is one of your key tools in determining if you've been hacked, or if you're just seeing innocent, yet strange, traffic where you don't expect it.

My associate noticed a spike in hits on an unlikely page of her blog, and that made her worry about a virtual break-in.

Now, let's break for a second.  I doubt her website was being attacked, because it is a low-traffic site.  In general, you're not at high risk if you don't have high traffic, because there's not a whole lot to gain by hacking you.  I suppose that adding your server to a bot net might be nice (or using it as a platform to launch more nefarious activities), but it still seems like a lot of trouble to go through.

There's lots of possible innocent reasons you're getting odd traffic behaviors.  Here's what to find the traffic's cause and reassure yourself.

Which Pages

Which pages are getting hit?  Anything special about those pages?  Got a custom form or custom programming on them?  If so, then this could be a vector for attack, especially if someone's trying to do an SQL-injection or other cross-site scripting attack.  If they're straight-up HTML, or a vanilla blog page like any other, chances are good you're safe.

Traffic Sources

Are these direct hits, or did they come from a referrer link?  If there's a referrer, then you have your explanation.  If not, then people could still be coming to your site via E-mail link, bookmark, or a link disseminated by some other media (e.g. paper).  Maybe an English teacher is using your blog in her classroom as an example of crappy writing, and all her students have come to point and laugh.

Count the Users

Are the hits coming from many multiple users or just one?  Multiple users indicates real people, or in the worst case, a bot net (or you're being targeted by the ANONYMOUS Hacker Collective and their legion of rampaging Guy Fawkes imitators).

Browser Variety

How about browsers?  Is there a nice spread-out distribution of browsers, and not just one (e.g. FireFox 4.0.1, IE 12.5.666, etc)?  If there are many, then it's probably innocent.  One browser could indicate a piece a software masquerading as a browser.  All your users could use one version of browser, but that's really unlikely.

Blog Software Vulnerabilities

Are you hosting your own blog, or using a service?  If you're hosting your own blog, you have a lot more to worry about when it comes to securing your site.  In particular, you should make sure you're using the latest version of whatever blogging software you have installed (e.g. WordPress), and keep an eye out for vulnerability notices on the blog software's website.  Make sure you have a decent admin password as well (not the default!).

Custom Software Vulnerabilities

Lastly, do you have custom scripting on your site that is being accessed repeatedly?  If you do, someone could be trying to find a vulnerability in your code.  In particular, that person could be trying to exploit an SQL-injection vulnerability (or other cross-site-scripting vulnerability) you or one of your developers inadvertently coded in.  To avoid this, follow good security practices when developing custom scripts for your site.  Here are some resources that can help out:

There are certainly many possible innocent reasons that you're seeing a strange traffic pattern. Answering some of the questions above might help you figure out what's actually going on.

1 comment: