It’s amazing what you learn by looking closely at website statistics. If you have read more about this blog, you will know that I was badly hacked last month and had to rebuild my website. I concluded that my self-hosted blog running on WordPress had been the backdoor in for the hackers as all the symptoms were replicated on other websites that were run on WordPress.
I moved my blog to wordpress.com, who host it and keep it up to date and, hopefully safer from intrusion.
I was looking through my new website statistics this morning and thought, “That’s a lot of 404s.” 404 is the code for a page that is not found when someone directly asks for it. With a new website structure, I would expect quite a few 404s from people who may have now out of date files bookmarked on their browsers. It these were all case like that, I was frustrating a lot of people.
Many of the 404s came from tiny graphic files that I had stripped out of the site design. I’d not stripped them out of the CSS though, which is still calling for the files when you enter any of my pages. That should sort out a lot.
But woah! 91,627 attempts to reach a file called /wordpress/wp-includes/Text/update.php. That must be the vulnerable file in the set up I had at the time I was hit. I’ve had a further 1225 requests for my old WordPress login page, so someone must be trying to get in manually.
Then I had 1135 requests for /Contact/files/paypal/cgi-bin/webscrcmd=_login-run/webscrcmd=_account-run/updates-paypal/confirm-paypal/Thanks.htm. I don’t know if that string of letters means anything to you? It does to me. The guys who hacked me were running a spoof paypal site on my site. When you get those annoying emails from PayPal saying that you need to change your pin number or whatever, it is false site like these that you are sent to.
How I was supposed to know where to find it? It was hidden away in a most innocuous folder. All I knew was that my ISP shut me down for suspicious behaviour. Whatever I did they got back in. Somehow, they had got their own account on my site control panel and could do what they liked.
Looking at my referrers stats, I can see some very strange sites sending people to my site. They are middle eastern hackers sites. My site is written up there as having been hacked, open and available. They are still sending people to me and no doubt they are still trying to hack their way in. What did I ever do to upset them?
But that’s the point, I’ve done nothing to upset them. They don’t care a toss. They might fly under some bogus cause, but really they are just callous criminals, using any site they can crack into to steal money of the unsuspecting.
It’s amazing the story a few lines of code can tell. A bit CSI, eh?