To quote Jason, "Yes, we got hacked." To quote Jay Allen, "It was a simple defacing."
Our oldest web server's FTP ports were not locked down in our firewalls. Not good. Someone ran cracking software, gained FTP access and defaced our sites. All of our other servers which run Engadget, Joystiq, TV Squad and any blog we've launched since January were untouched, but Hack A Day, Autoblog, Luxist, Gadling, Blogging Baby and several others were affected.
Not much left to say besides we got the holes on that old server closed and I can't wait to migrate everything off of it and decommission it. The new platform has no FTP. All files are managed via web form-based uploads. It's not the easiest way to get a large group of files to the server, but it isn't a hack waiting to happen like IIS's FTP server can be.
Any suggestions on web-based bulk upload tools or SFTP servers and clients? I'd love to hear them.
Now going offline again to continue celebrating seven happy years of marriage...
Brian Alvey
-
Hack A Day hacked?
Add a Comment
Inappropriate or promotional comments may be removed. To create a clickable link, simply type the URL (including http://) and we will make a link for you. Line breaks and paragraphs are automatically converted — no need to use <p> or <br> tags, but if you're into that kind of thing, you can use any of the following tags: b, i, strong, em, a (href only), p and br.
Click one of the three commenter types below. Member comments are added immediately once you confirm your email address. Anonymous comments are moderated by our editorial staff.
GrimJack
EZ Street
Jon Sable, Freelance
Comments (26)
Add a Comment Inappropriate or promotional comments may be removed.
Yves 1575 days ago
congratulations! (on the anniversary, not the defacing... ) :)
Jason Striegel 1574 days ago
Congrats on the 7 years!
There's a windows version of openssh that runs on top of a light version of cygwin:
http://sshwindows.sourceforge.net/
Another option is to have a linux or freebsd box that you upload to. This machine then mirrors everything out to your other servers using rsync. It can mount your windows machines via samba/cifs and you can block everything but ssh to the upload machine at your firewall.
Marc Orchant 1574 days ago
Hey Brian - let's talk SSH after your anniversary celebration is over (it's my business after all). Congrats on seven years and thanks for the quick response to fix the defacement and lock down the server. Sorry a script kiddie loser had to pull you away from your fun.
Kurt 1574 days ago
Try WebDAV. Painfully easy to setup in a Windows environment, and not too difficult to integrate into custom code. It's built into every modern OS I know of.
Jason 1574 days ago
Can I have the old server after you decommission it? Haha just kidding... sort-of... Congrats on 7 years, and though the irony of hackaday being hacked is slightly amusing, it's still annoying - I love that site. Have fun with the rest of your celebration.
David 1574 days ago
A java based app for bulk uploads are nice. I'm considering developing one myself for one of my sites, not sure how it will go though.
WackyT 1574 days ago
Concerning SFTP clients; FileZilla is great, free, and open source.
http://filezilla.sourceforge.net/
David Eads 1574 days ago
Call it positive reinforcement, call it systems integration: I think the Rsync comment is on-point, as is the WebDav comment. You could set up a border box that has precisely two ports open: 22, for SSH/SFTP, and 443 for Webdav over https. Then, you get secure transfer and chance for review, and you can lock down more services and ports on the servers that run your public side.
Ben 1574 days ago
Second the recommendation for Filezilla. I love it. Works very well and can store all its settings in an xml file, so it's also perfect for a thumb drive.
scott 1574 days ago
Dont try webdav as some else suggested. Your more likely to get hacked that way than if you just left ftp as it was and just switched to more secure passwords. As for ssh/scp on Windows, check out fsecure's client and server products. Thats what we use
scott 1574 days ago
Dont try webdav as some else suggested. Your more likely to get hacked that way than if you just left ftp as it was and just switched to more secure passwords. As for ssh/scp on Windows, check out fsecure's client and server products. Thats what we use
Dan 1574 days ago
You could write up a quick perl script to upload some directories from you. LWP perl for me is my fav.
best part for admin stuff is that you install nothing, clients run a script to upload whatever they want with the same login info they use normally.
I used it to upload some scripts when i was in college for submission for autograding. tar-ed up the pkgs, whipped up a quick LWP perl script which danced through the http / web auth, cookies, etc, filled out all the submit forms, and hit go. 4 minute submit ~10 seconds. check it out. Spidering Hacks is a good book to start with.
osda0289 1574 days ago
NFS
TxGeek 1574 days ago
Why not just convert the old machine to a Linux or BSD SSH server? Install the samba client and mount a directory for each Windows server for bulk file transfer. Use FileZilla, CoreFTP Lite, or WinFTP Pro to connect to the SSH server and transfer the files the way that is easiest for you.
Ara 1574 days ago
As far as SFTP servers go, OpenSSH has worked great for me. I beleive it has a Windows/Cygwin version.
Tek 1574 days ago
SSH is prob. the best choice as you can use it to ftp in a bit more secure way. Next you might add some VPN software and only allow the bulk processing 'puters to the vpm metwork. You might install some nice and free IDS software like snort or something. It will mostly detect kiddie hacks in progress. You also might choose to block logins for a specified period after they used a few bad passwords. And simply use some real good passwords. This will make bruteforce hacks a drag. Next... stay up2date and get rid of all the crap (unused daemons/programms) on the server.
So am i done yet? No, 1 more thing:
Congrats with the seven year. On to the next :)
rob 1574 days ago
why would you use IIS? why not a linux based server? IIS has been highly hackable over the years. I've seen a business's page get hacked, then using some sort of sql injection, get ahold of a bunch of people's SSN's nad such.
Observer 1573 days ago
>but it isn't a hack waiting to happen like IIS's FTP server can be
What a weak stab at IIS when you clearly indicated the firewall was at fault. You should be blaming your network admins...
Christopher Flynn 1573 days ago
SFTP is the way to go. There are a ton of SFTP clients, filezilla is the GUI one I use on windows, PuTTY is a good command line client and of course cygwin. For OS X, there's FUGU, which is a nice GUI. For linux, I mostly just use the command line. OpenSSH for the server and then just open port 22. The other plus side is that if you need access to other ports, you can just use port forwarding and you don't actually have to open them up on the firewall. I do it all the time for my personal webserver from work.
zorkon65 1573 days ago
for real how much would the server cost, sorry to hear about idiot that hacked ya, almost as bad as when half 2 source got stolen
pete 1573 days ago
yeah, i'll swear by sftp. never set up server on a windows box, though. i'll second everyone's motion of setting up a linux box and rsync'ing or mounting the windows drives.
run ssh on a non-standard port, only use protocol 2, disallow root logins and set up Allowed Groups to control what accounts can log in and you're about as freakin' secure as you'll ever get.
note, though, that the cygwin client can be finicky about backspaces.
skittles 1573 days ago
http://freesshd.com/
Best free sftp server out there. Or spring for some of the warez ftp servers like ioftpd. These are locked down.
TechnoMage 1570 days ago
You don't say but are you uploading the files from a specific place? If you want to keep FTP up, try limiting the IP ranges that can FTP upload to your computer.
Don Wilson 1442 days ago
Impliment a feature into the blog's admin panel that will accept a zipped copy of said changes, in relation to each file's location, and automatically replace said files. Every easy for multi-site changes.
Al Deeb 421 days ago
So what is the story with the Hack a Day site ? it's been about 2 weeks and it's unavailable , did it get lost in the clouds ?
Anonymous 420 days ago
why would someone want to hack hackaday?