I've been hacked

Isn't anything sacred?

My personal website at https://www.mathenge.ca is under siege. Hackers have broken into the server, and there's nothing that I can do about it.

The website is based on Drupal 7. And that's not the issue, per se. The problem is the underlying scripting language, PHP.

I've been hacked before. I've had viruses on my computer also. I've dealt with them swiftly. After all, I consider myself an I.T. guy. But this particular hack comes at a friggingly inconvenient time.

Its taken me a really long time to build up that website. I've had to learn how to use Drupal. Spent countless hours finding and configuring a theme. Frankly speaking, it would have probably been easier doing this the hard way - using notepad and hard code.

And then there's the content.

Oh lordy, all that content. Stuff that I'm passionate about. Some tutorials that I've written. Essays. Stories. And even some touchy-feely stuff.

They said that the cloud would be safe. If your laptop, or home computer, crashed, you'd have nothing to cry about. It would all be safe in the cloud.

That's what they said.

And I preached this constantly. Put your shit in The Cloud. Put all your shit in the Cloud. Leave nothing on your laptop, or desktop computer. Put it all away - in the Cloud. What on earth are you doing with all that storage on your laptop. Who in today's world needs a terabyte of data close at hand? When you can have a petabyte in The Cloud?

End of Rant

Now that I've gotten that off my chest, I still think that the Cloud is great. This was all my fault. I thought I'd have the time to take care of the details of hosting my own website. Updating the software. Keeping the content current. And keeping the hackers at bay.

Update, update, update.

Apple and Microsoft realised this eons ago. And now Mac and Windows computer updates are automatic. Don't trust the end user to apply updates. Wait till they go to sleep, and then update their software. When they wake up in the morning, they'll thank you for it.

But I’m an I.T. guy, so I did what I.T. guys do. I bought my own hosting plan from GoDaddy, installed my own web software, configured it and built my website. From scratch. With my own two hands. And, in typical I.T. guy fashion, didn’t ask anyone for advise or help.

And the website was was working fine. I was able to add lots of content, when I had the time. And when I remembered, I would also update the website software. What I.T. guys call the backend. With security updates. I wasn’t constantly watching over the website like it was a baby. Somewhere in the back of my mind, I didn’t think that anyone in the world would be interested in taking a look at what I was doing. Why hack me? I have nothing that you want.

I was wrong.

And it was somewhere in that moment of not looking that I got hit. I cannot recall the exact date, but one day I tried to login to my website and it wasn’t there. Just a blank white page.

I don’t recall panicking. I don’t recall any feelings of frustration. I actually don’t recall anything other than bland curiosity. Hmm, a blank page. I wonder what that means?

And after some time, it occurred to me to check the backend.

Drupal is software for building websites. It’s made up of a bunch of files sitting in a folder (called the filesystem). And data, that’s stored in the database. I’ve never really bothered to inventory all the files, so I couldn’t tell if there was a problem. And if the issue wasn’t so glaring, I probably wouldn’t have found it.

I discovered that the main Drupal launch file, a file named index.php, had been tampered with. The details of the tampering are the content of a different post. However, suffice it to say that getting the files on the filesystem back to their original state was quite easy. All I had to do was download a squeaky clean copy of the latest version of Drupal. Delete all my Drupal files (except a couple of files with site settings). And then copy the new files to effectively replace the deleted ones.

And my baby was back.

But not for long.

Barely a few days later and the index.php file was corrupted again. And I went through the same motions to clean it. And it happened again. And I cleaned it again. And again. And again. And again.

Curiously, after some time, even with some corruption, the website continued humming along. I could still login, create new content, and save it successfully.

It wasn’t entirely my fault

I said this earlier, it wasn’t entirely my fault. It wasn’t. GoDaddy shares some blame in this too. Apparently, the hosting plan that I have was deprecated. GoDaddy was encouraging existing clients to upgrade to other hosting plans, and this specific hosting plan was not being sold to anyone.

But GoDaddy also wasn't forcing their clients off this old, buggy, full-of-security-holes platform. As long as you were an existing customer, paying your annual subscription, GoDaddy was happy to keep you on that old plan, and let you bear the consequences for that action.

Most importantly, GoDaddy stopped upgrading the version of PHP on this server. And I suspect the database software also. As of this writing, PHP is at version 7.2.30. And the version installed on my hosting plan is 5.3.13.

... beware, boring numbers coming up ...

So how many updates have I missed?

Drupal Version	Final Version	Missed Updates
5.3	29	16
5.4	45	46
5.5	38	39
5.6	40	41
7.0	16	17
7.1	33	34
7.2	30	31
7.3	17	18
7.4	5	6

The current version, as I write this is 7.4.5. And so I’ve missed a whopping 248 updates. From 8 May, 2012 when version 5.3.13 was released. That’s almost eight years ago. Close to three thousand days.

No wonder I got hacked.

But I found a solution - well, it seems to be working for now. My gratitude to the owner of https://www.evagabond.me/2018/05/clean-fixed-hacked-drupal-site.html.

It's been about 24 hours since I followed the advise on that website, and so far, so good.

And the next step is to move from the current hosting to a plan that can be updated. And get away from Drupal. Maybe join the dark side and use WordPress. Ugh.