In which we explain what happened, and why you saw what you saw

A comment to the last post suggested to us that we explain what happened over the weekend, and why the site went from “fine” to “gone” to “weirdly obsessed with David Brown’s photography” to “fine without comments” to “fine again” since Friday.

The most important point to make, though, is that the “David Brown” phase wasn’t the hack — it was actually part of the recovery.

First, background: The old machine on which this blog ran for much of its life hosted a number of other sites, including our personal site (Nogators.com, which was also the original home of Heathen), the short-lived bachelor-party documentary CarlsGoneWild.com, a wedding site for AubreyandFrank.com, our own wedding site at ErinandChet.com, and a blog for Infernal Bridegroom artistic consultant Charlie Scott at Blog.InfernalBridegroom.com. Two of these sites (ErinandChet.com and Blog.InfernalBridegroom.com) ran a blogging tool called WordPress. This becomes important later.

Now: On our way out of town on Friday afternoon, longtime Heathen Hatch alerted us via email (all hail Treo) that something was askew at Nogators. We don’t look at Nogators very often anymore; most of our efforts are spent on Heathen. Hatch, being Hatch (g,d,r), though, had not updated his bookmarks from the time that Heathen lived at nogators.com/heathen, and so he saw the problem. Basically, some jackasses had replaced the default page of many of the sites on the server with a st00pid “we 0wn yoo” tagger page. (Yeah, these kids are just about the same level of fucktard as the people who spray paint their names on other people’s buildings.) When Hatch saw that, he sent the email.

Once at the airport, I checked the damage, but I didn’t have enough time to do a thorough investigation — I did, however, have time to shut down Apache, the web server through which they most likely gained access. After dinner in Jackson, I was able to put together what happened via some Google searches and sysadmin spelunking. The script kiddies in question used an exploit in WordPress to gain partial control of my server. To brag about their deed, they posted their “tagger” page, but left behind some nastiness for me to clean up. They’d attempted to install a r00tkit (in order to take control of my server later), but their ineptitude made it pretty easy to locate and destroy their trojan. However, since the machine’s OS was outdated and had been compromised, I immediately began the process of migrating all the sites hosted there to another machine. Apache remained down at this point.

Moving takes time. File copying and new server configuration are pretty quick, but DNS changes take about a day. I copied Heathen over first, but made a minor configuration error on the new server that resulted in it responding to requests for MiscHeathen.com with its “default” site instead of this weblog. The default site is DabFoto.com. DABFOTO IS NOT WHO HACKED HEATHEN. DabFoto is the profession site of David Brown, a friend of mine who is providing the new home for Heathen and its companion sites. Far more people, though, saw either no site at all (from Friday though sometime Sunday) or David A. Brown’s photography site (from Sunday until today) than ever saw the tagger page, and since most of you have no idea who David is, it’s reasonable to assume he was the hacker. After all, you punched in Heathen and got him, right? And Chet was saying he’d been hacked, right? Q.E.D., except not.

At this point, Heathen’s up, and ErinandChet.com will start working sometime in the next 12 or so hours, albeit in a new, green, minimalist presentation instead of via WordPress. Blog.InfernalBridegroom.com will not be coming back as a blog per se, but we WILL provide forwarding from /charlie to Dr Scott’s new Blogger site as soon as it’s up.

Clear as mud?

Comments are closed.