Category Archives: security

guess who got hacked

Night Work

Let me tell you about that time my site got hacked.

Once upon a time I received this email from Google. Now when Google emails you, you usually pay attention, even it it’s a bot. Those guys know their stuff.
The email told me that my site was possibly hacked because it was suddenly feeding spam when the Google bot was passing by.
The reason why I got this email is because I use the free web master tools from the G btw. That way they know my site has behaved nicely over the years, and when it suddenly started spewing spam, they knew something bad was up.

The scary part is that this only happened when Googlebot was munching my pages. Not when I or any other human passed by with a browser. So in other words, I didn’t have a clue.
Because it was quite the mystery, I checked my web folder and found a few suspicious files and folders in there. Suspicious, because I never put them there.

I found a folder named “coockies“, an unknown common.php, session.php and coockies.txt file. My .htaccess file was also changed. All php files and the .htaccess had the same timestamp. I compared my complete WP installation with the original installation files to be sure no other files were modified, which turned out to be the case.

The folder seemed to contain files with file names resembling URIs of my blog posts. The content was unreadable and appeared garbage. I’m guessing it was an encoded version of the spam my site was feeding Google.

At first I thought my WP blog was hacked, but the entry point was simply the modified .htaccess file. It contained a few new rewrite rules which checked the user agent of the incoming request, and if that matched any of the major crawlers, it would redirect to the new php files, which would feed the spammy content.

Cleaning up turned out to be rather easy.
I deleted all the new files, restored my old .htaccess file (hurrah for backups) and changed my site passwords just to be sure.

The fishy thing about all this is that I’m still not sure how these files got on my system (hence the password changes). The timestamp on the files seemed to point to the moment I last ran a WP and plugin update on my site. Maybe it was pulled in with a compromised plugin, but there is no way to tell which one it could have been. Another option is a compromised FTP account, but that password was already random before I changed it so that seems unlikely. I still changed it to a random and longer one to be sure.

I also took some extra defensive measures to try to avoid this kind of hack in the future, but that’s for another post.

Photo by Thomas Heylen, cc-licensed.

how to protect your privacy online

Who Are You Looking At?

With the whole NSA PRISM storm blowing over the internet I thought it would be nice to compile a list of free and open source software I know that can help in safeguarding your privacy as an alternative to proprietary software or online cloud services which are not to be trusted with your personal data.

Hosting everything yourself is one way to go like the folks at suggest, but it isn’t free as it will a) cost you some money and b) usually quite some time to set everything up. Not everyone has the technical knowledge to do this either, so a list of open source software and trustworthy services for the masses would be great.

Turns out is just that kind of list, so that saves me the trouble of compiling it myself. Nice. Here’s another one with mostly the same items on it. Mostly.

Photo by Caneles, cc-licensed.

securely wiping your hard drive without dban


Well if DBAN doesn’t cut it for some reason there’s always a more native Linux way to do this.

Step one is getting a Linux live CD, DVD or USB stick and boot from that. I used the Debian Live CD myself, which boots into character mode so you don’t end up with XServer not getting your video settings right.

Once you’re in a shell, you can use the shred command to wipe your HD’s data by overwriting it a number of times with random data. I found that out by reading a post by a lad named Jason on the topic which was a nice help. I only had to add the “sudo” call in front of the command to actually allow it to get write access to the disk on Debian.

First figure out what partition/drive you want to wipe by running:

cat /proc/partitions

Then, in my case, I had to run this to wipe sda:

sudo shred -fvz -n 6 /dev/sda

The -fvz basically means, [f]orce write permissions, [v]erbose output so you can see the wiping progress and write [z]ero’s on the last run to hide the wiping. -n 6 tells it to do 6 runs of random data writing.

Using DBAN is still the easier way to get this done, but if that’s causing you trouble you can use this as a backup wiping measure.

Photo by Hugo Chinaglia, cc-licensed.

things I learned from hacking my own wifi access point


I read this article recently on how this guy hacked his neighbours WIFI access point relatively easy. After that I wondered how easy it would be to crack my own WIFI network because my password wasn’t all that complex. In fact, it even has some dictionary words in it. So I got me a copy of BackTrack 5, got up to speed on hacking tools like airdump-ng, aircrack-ng, John the Ripper (love that name) and started cracking.

Here’s what I learned:

  • Getting enough data from a WPA encrypted WIFI access point to start hacking on far away from the crime scene takes only a few minutes if you know what you’re doing.
  • To get access to your WIFI network interface you need to run BackTrack on the bare metal. Running it as a virtualized guest OS in VMWare doesn’t expose your WIFI interface as WIFI. Booting the OS from a USB disk did the trick for me.
  • Don’t save files in /tmp/ on Ubuntu if you plan to reboot. They will get wiped when you reboot. *facepalm*
  • John The Ripper and aircrack-ng exist for Windows as well. Hacking away with the native versions seriously increases your hack attempts per second (800 vs 2700 on my machine) instead of running them on a virtual box. I know this is obvious because you’re running on the native OS, but I just assumed those tools where Linux only at first. Silly me.
  • John the ripper has its brute force limit set to 8 characters at compile time. That means that it’s a bit harder to get hacked if you have a 9 character password because you have to recompile or use the external modes. I ended up using the external modes.
  • Brute forcing a WPA packet for a 9 character password takes ages. Literally! It ran for hours and it didn’t even get close to finishing. At 2700 attempts per second with a 9 character password combining numbers, upper- & lower-case characters it would take about 872 years to find all possible combinations. If you use a 100 laptops like mine simultaneous (Intel i7 2Ghz) that is. Ouch.
  • There’s a bunch of word lists out there containing commonly used passwords. If your password is in one of those lists, chances are it will be found in no-time (2700 passwords per second remember). So it’s a good thing to make that password as random as possible.
    The free lists you find online are supposed to be of lesser quality. If you’re willing to shelve out a few bucks however, you can get bigger and high quality lists. Still this proves that having a good randomized password is pretty important.


My WIFI password is harder to crack than I thought. Yet I’m going to change it to something more random because those dictionary words are not in the current frequently used password lists right now, but it could end up in there in the near future. For all I know it’s already in some password list I didn’t see.

Photo by g. tavmen, cc-licensed

how to figure out if a site is a scam

All right, everybody be cool, this is a robbery!

I was looking into getting some ebooks so I googled around a bit and something came up that was offering a nice deal. In fact, it was so nice that a little warning indicator popped up in my brain. It was looking a bit too good to be true, you know, the typical signs of a scam: if it’s too good to be true, it usually is.

Then I read the conditions and apparently you had to pay upfront before you could buy a book. Hmm. More warnings popped up.

So how do you determine if a site is a scam? Well, googling the name might help and turn up some warnings. But it didn’t in my case. That search however did turn up one thing by chance. A site that calculates the ranking of this ebook scam site gave me links to similar sites. When I opened one of them, it turned it had the same layout. In fact, it was a clone of the original site hosted on a different domain.


So how many more domains like that are there? I tried a few google tricks and finally struck gold by copying a line of text from the site’s privacy policy, surrounding it with quotes to have The Google search for that exact piece of text. If that line is unique enough, it should only turn up a single website. Or websites that copied the same text. Or complete clones of the website as in this case.

The result? Google turned up a huge list of sites hosting the exact same content under a ton of different domains, sometimes with a different layout theme or logo. But plain copies none the less.


Picture by Alex Abian, cc-licensed.

how not to get your accounts hacked online


Easier said than done is one of those expressions that applies nicely to managing your online account passwords.
The rules are, as said, rather simple:

1. Use a complex password.
2. Do not reuse your password for multiple sites or services.

A password like “pqu9ijLrFcDvmiphXRGo” is super-secure, but it’s pretty damn hard to remember too. Let alone using a different complex password on every site you use.

But unfortunately, it’s pretty damn necessary if you look at the recent Dropbox account “hack” for example, which was possible because a password was reused from another hacked site.
LinkedIn, Gamigo, eHarmony,, Sony, WordPress, and just this week Blizzard. They all got hacked at some point and all of them requested their users to change their password asap.

If you where on any of these sites and you have reused your password at other places… well, you should change those too.
When all your passwords are following a recognizable pattern, well… hackers can figure that out too. Even if only the hashed value of your password was dumped online on pastebin for example, any password can be found given enough computing time.
If you are using dictionary words in your password, you’d be surprised how little time it actually takes. Oh and those smart tricks like replacing some letters with numbers? Modern hacking tools like John The Ripper know those as well.

How do we go about those 2 golden rules then? Well, how about letting the computer do the remembering for us? They’re good at that kind of stuff!

Here’s how you can do that:

1. Use KeePass Password Safe to store & manage all your passwords (download here).
2. Have it generate a unique & random password for every site/account you sign up for.
3. Create a good, complex, yet easy to remember master password to protect the KeePass database.
4. Synchronize the KeePass DB with all your devices using something like DropBox’s cloud storage.

Now you don’t have to remember any of those passwords, except that one very important one. Thanks to the sync you can reach your KeePass database from all your machines & devices (Windows, Mac, Linux & Android at least for DropBox).

There are a few exceptions where I picked my own password instead of an auto-generated one. Again it’s something easy to remember, yet hard to guess or crack. I do that for my Google account for example, so I can use that from anywhere without needing access to my KeePass DB. Just to be on the safe side that one has two-step verification on it as well.
Few accounts deserve this exceptional privilege however, so I use it sparingly.

Be safe!

Photo by grittycitygirl, cc-licensed.