As those who still manage to wade through the daily flames on Full Disclosure found out this weekend, the boys over at ZD0 managed to get access to the Administrator account on my blog. They posted the passwd file including the usernames and MD5 password hashes for about a score of users in the latest version of their brag rag, ZD04, and added a post to the site pointing to the newsletter.
It appears they had full access to the blog, which is hosted by a third party, but not to the underlying server, so no other accounts on the server were affected.
On Saturday morning, after I was notified of the hack, I pulled down the blog, removed all permissions to the database and notified the users that their passwords may have been compromised. (A number of the users, at least the last three, appear to have been accounts set up by spammers.) Both my hosting provider and Wordpress maker Automattic were contacted. There is no indication that ZD0 had access to other resources. SecurityFocus, owned by Symantec, was notified, even though there is no link between that site and this one.
The big question is, of course, what happened? I contacted ZD0, and they made a grandiose claim that I, frankly, don’t believe, so it won’t be repeated here.
The main possibilities include, in no particular order:
- An unpublished or unpatched flaw in Wordpress that they exploited.
- An unpublished or unpatched flaw in PHP.
- The site was compromised by a known flaw before I had installed the latest patch.
- The attackers were able to brute force the password for the administrator account using a hash for my particular password culled from a previous compromise at a different site where I owned an account.
- A misconfiguration in the site allowed the attackers to escalate privileges.
The damage from the hack amounted to the disclosure of information about people who had registered as users and their password hashes.
Another reporter stated that he believed that the hack of my site supported the proposition that no one on the Web is safe. I would argue, rather, that it shows that security is hard and time consuming. Three of the five possibilities boil down to user error, so it is likely that through an action of mine, the ZD0 hacker rats were able to get access to the site.
If my investigation, or those of my providers, turn up anything, I will post the information here.