A Hack and Recovery – A Tale of Outdated Software

I’m constantly telling people to run the most current version of the scripts they run on their websites and it’s for a very good reason.

As well as doing development I spend a good percentage of my time doing rescue missions on websites that have been subjected to some form of hack.

Often a server is secure and everything looks great but the weak link is bad passwords or the software installed in accounts on the server, these two things can quickly and easily lead to a hack leaving your personal blog or business website suddenly looking like a gambling den or adult store.

Running old software is like giving hackers a key, as is having a weak password or a password you use in multiple places (I recommend 1Password for stopping that) and you can soon find your online presence beyond costly repair.

Does this really happen?

A client approached me recently unable to login to a part of their website. The software was badly outdated and issuing errors every time anyone tried to do anything. You would think this would be a simple password reset and upgrade? You’d be wrong.

  • We tried the password reset, that didn’t work.
  • We tried changing the admin password in the database, that didn’t work.
  • Every time we tried to login the password automatically got changed to an encrypted version of a password we didn’t know (we could see this in the database)

In short, we were never going to get back in to this installation in an easy manner.

At this point a decision had to be made, did we go looking for every line of code that wasn’t standard or did we attempt to get back to normal as quickly as possible, we went for the latter.

We installed a much updated (2 years newer) version of the software, connected it to the old database and ran the database upgrade (that took over an hour due to the amount of fake/spam accounts that had been registered) but finally we brought the website and scripts back up.

We then:

  • Scanned the database multiple times for anything out of the ordinary.
  • Deleted old and unknown admin users
  • Changed admin passwords
  • Deleted unknown users or anything that looked spammy
  • Performed routine maintenance on the database
  • Ran a Sucuri site scanner

This all took a few hours, but that’s far less than if we’d had to check every file. It isn’t a decision that can be taken lightly, often you’ll lose all file modifications you may have done but at least if your data is in a database you’ve at least got all that, assuming your database wasn’t hacked as well.

So, please, please, run the updated versions of your scripts. Follow your technical teams advice and keep your passwords and scripts secure!

Leave a Reply

Your email address will not be published. Required fields are marked *