In a previous post, part of a series about selecting the right blog platform, I urged you to think if you want to selfhost your blog or not. I revisited the subject, stressing the fact that when you choose for selfhosting, you should be aware of the many things bloghosting platforms like Blogger would do for you, you’d have to do yourself. And that includes a lot of technical stuff. Are you prepared to dive into the technical part of the maintenance of your blog, potentially diverting your attention from writing good contents?

I want to drive the point even further: when you choose to selfhost your blog on a hosting provider, like Godaddy or Network Solutions, there is one more thing to be extra cautions about: hackers.



OK, running any kind of blog, you have to ensure basic password security for your administrator’s account, and not use obvious passwords like “admin” or “password” or “secret” (don’t laugh!), but also the hosting company itself can be vulnerable to attacks, without any of your wrongdoing. And recently, hackers have concentrated their attacks on these companies. I guess their reasoning is “why to concentrate on a single blogsite, if we can attack thousands of sites at once when we attack a single hosting site”…

Recently Godaddy has been a victim of two series of attacks, one on April 27 and a second one on May 1. I was a victim of both attacks for one of my sites. Even though my particular site was running Drupal, and no conventional blogsoftware, most of the affected sites were WordPress blogs. Following several forums on the subject, it seems like thousands of blogs were infected.

While this is not a post about hacking techniques, and what to do to cure hacking attacks, let me describe to you what I went through in discovering and curing the hack so it helps you make up your mind if you really want to go to selfhosting your blog…

When I wake up in the morning, love

On the beautiful morning of April 28th, I woke up and checked some of my sites. One of them is a simple Blogger blog showing the latest posts for Humanitarian News, my mega aggregator of nonprofit news. I noticed the posts were not refreshed, and showed an error in retrieving the RSS feed from the mother site. I use a simple RSS to Java tool, described in this post to generate the posts, so trying to debug the problem using Feedvalidator, I found out the feed from Humanitarian News was seen as invalid. I did not think much of it at that moment, although now I know it was a symptom of a hack.

A few days later, Humanitarian News no longer loaded on my Iphone browser, so I checked it on my laptop, only to find that my site was redirected to a malware site. Darned.

Panic

My instinct told me to check the index.php file, the root of my site. I found one line of code was inserted in the file, which looked like

?php /**/ eval(base64_decode("goobledegoob"))

Thus, panic in the house! Using Filezilla, I checked more .php files, and more, and more. All the same: each had the php one-liner inserted. Darned once more.

I googled the code, and found that the one liner was the actual hack. When browsing the website, users were redirected to the malware site. I knew that I had to act fast, otherwise browsers would soon show this infamous screen, the nightmare for any webmaster:

…and in no time Google would report my site as harmful. So I had to act quickly. It was then 10 pm…

At first, I started to clean up all .php files manually, deleting the intrusive one liner, but soon gave up. Suspecting a vulnerability in Drupal, my CMS, I decided to put the site offline, and reinstall the software from scratch, including all themes and plugins. Luckily, I keep a good track of each of these, for all my sites. It took me about four hours before I had my site back up. 2 am. Sigh, but with a clean site.

Before going to bed, I decided to back up my entire website onto my laptop. A good decision, it seemed afterwards. I also changed the admin passwords, blocked all other user passwords, and changed the FTP password.

Argh, not again?!

On May 1, I saw the same problem popping up with the RSS feed. I checked the index.php file, and exactly the same problem: I was hacked, once more. Again, I put the site offline, and this time, restored the entire site from my backup. Three hours of work.

This time, I googled a bit deeper, and found that indeed, I was not alone. Thousands of sites had been attacked, all hosted on Godaddy, my hosting company! Following some of the forum discussions, it looks like even today, Godaddy blames vulnerabilities of WordPress, although it was soon clear many other sites using different CMS-es were attacked. Mine was only one example, I was using Drupal. Beh.

Selfhosting or not, revisited

While the experts are still trying to analyse how the security on so many sites was compromised, it looks like it is a common and pretty recent problem with hosting companies becoming an easy (it seems) target for hackers. While we have not seen the end of it yet, it does stress the importance of the question: Do I really want to selfhost my blog?

That question is not just related to money, to self-reliance – call it independence – but much more “Do I really have the technical savvy, and the time, to technically manage my site?”. Or in other plain words: Do I want to blog, or do I want to become a webmaster?

Update: 2010 will probably go down in history as the “black year for PHP hosted sites on shared servers”. The 5th wave of hacking is going on as we speak, and the hosting companies are still to work out a way to avoid the hackers to get in. Meanwhile, it is important you check your site for infections several times. If you find the infection, cure it immediately. If not, malware will spread to your visitors.

Picture courtesy HughBriss