Vincent Ritter

On Saturday afternoon, whilst out and about enjoying the sunshine, I received an alarm for a client website being down. I monitor all sites I run, so nothing goes unnoticed for too long.

Seems there was a security vulnerability on a CMS system, allowing someone to… well… change stuff in the root folder of the client project. URGGGHHHH.

I am happy that I still run Transmit on iOS so I could log into it and check what is going on. Very clever stuff. I also cross referenced this with activity I could see using Cloudflare.

I put the site “Under Attack” mode on Cloudflare, just to slow these people down. This was nicely distributed attack so I couldn’t just block a single IP.

It didn’t stop them from trying though. So I decided to just remove port 80 and 443 from being accessible. I also added a block rule in Cloudflare for the specific HTML folder they managed to put into there. Those pages were just redirects… to some random crap. Anyway, they stopped after they probably noticed that I was onto them within a few minutes of them trying this.

Cloudflare doesn’t expose my server address. SSH is secured to only very few addresses, so you would have to physically be in the same room than me and at my machine. I see no evidence of SSH attempts (except the usual crapshoot that some idiot tries all the time), so that’s nice.

With me blocking access, I went home to try and deal with the mess to bring back the server and site...

I can see they renamed the environment file, which I suspect they had access to some secrets in that file if they could read it - I reset everything and anything, for every account that may have been on the machine - just in case.

Shame it took over the Saturday afternoon and evening… didn’t plan on this at all.

This attack reminded me of the shitstorm that Wordpress is. The problem being, this wasn’t a Wordpress site 😔

I’m tempted to rethink my own needs for a CMS in future… Flat file might be the way again. The client site in question will move away from me this week anyway… so I am not concerned with having to deal with this kind of problem again.

I am still proud of the way I handle my servers and security of all my sites and data. This was just some random exploit that just happens to have been on the website - completely out of my control.