« Attacked! | Main | Movable Type Friendly Web Hosts »

Update to "Attacked"

Updated again Monday night, midnight, Oct 4

This post is in reference to: Attacked!. I've posted the following update on that post and here.

One possible way that this attack could have happened is if someone else on my shared web server used a simple php script to read my database username and password. With this information, he or she could have accessed my MySQL database and made changes to the templates. I have sent a request to my web host to address how they handle PHP security. In particular, I was advised to suggest that my web host start using a PHP directive called "open_basedir" to restrict the files that PHP can open. The information on this directive can be found here: http://www.php.net/manual/en/features.safe-mode.php#ini.open-basedir.

I was also advised to suggest to my web host that they consider running Apache from a "chroot jail". More info about that can be found here: http://security.linux.com/security/04/08/05/203238.shtml and here: http://docs.linux.com/documentation/04/05/24/1450203.shtml.

Update midnight Monday evening, Oct 4

Another possibility of how this attack could have happened is that I had several blogs with the templates linked to file option checked. These files, if they had been changed by someone, would have replaced the templates in my database when I rebuilt the site. These files had 666 permissions, so they could have been changed fairly easily. On the blog or two that didn't have the link-template-to-file option checked, I can't remember if the templates had been compromised or just the files themselves.

I looked up a fragment of the spam code in Google and found that the same spammer has gone after WP, Mambo, YaBB message board, as well as MT. So it looks less like the MT database is a target and more like file systems with loose permissions are targets.

What to do if something like this happens to you.

First, contact Six Apart immediately. Get the access logs from your server from about the time, and maybe 24 hours prior to, when you first noticed the attack. Send that information to Six Apart plus details about your MT Installation and server configuration.

Removing the spam code from your templates and rebuilding your weblogs should get rid of the popups.

How to protect yourself from this kind of attack

Make sure you have a back up of your site! (See Backing Up Your Blog.)

If you are on a shared server, make sure that server is running CGIWrap or suEXEC. Follow the steps outlined here regarding the Umask settings on your mt.cfg file.

If you are running CGIWrap or suEXEC, and therefore have the option for additional security that those features allow, it is highly recommended that you set the permissions of your mt.cfg and your mt-db-pass.cgi files to 600. You can only do this if you are NOT doing dynamic publishing. If you are doing dynamic publishing, this setting will give you error messages and your MT install will not work. Also, you must be using CGIWrap or suEXEC to set those permissions to 600. Otherwise, you may lock yourself out of your install.

Check with your webhost to see what measures they are taking to restrict the files that PHP can open. See the measures that were recommended to me above.

Links:
Arvind's post on the same subject

Many thanks to Brad Choate from Six Apart for his time, explanations, help with my understanding of server security, his recommendations for protection, and his links for my web host on better php security.