The other day, this showed up in my e-mail:
A file change was detected on your system for site URL https://dfarq.homeip.net. Scan was generated on Tuesday, November 3rd, 2015 at 5:25 am A summary of the scan results is shown below: The following files were removed from your host: /var/www/wordpress/wp-content/
cache/supercache/dfarq.homeip. net/wordpress/index.html (modified on: 2015-11-03 03:23:52) ============================== ======== The following files were changed on your host: /var/www/wp-content/themes/ twentyfourteen/functions.php (modified on: 2015-08-19 22:24:04) /var/www/wp-content/themes/ twentyfourteen/header.php (modified on: 2015-08-19 22:24:04) ============================== ======== Login to your site to view the scan details.
I didn’t make those changes. Fortunately fixing it when changes appear in functions.php and header.php that you didn’t make is pretty easy.
First, log into your site, then navigate to Appearance -> Themes. If you have more than one theme installed, activate a different theme by clicking on it and clicking “Activate.” If not, click “Add New Theme” to add a new theme. Activate it.
Note the name of your hacked theme. Click on your hacked theme, then click “Delete.” Next, glick “Add New Theme” and search for the theme you just deleted and re-activate it.
Now the lesson. I keep WordPress and its plugins up to date. Perhaps the attacker got in through an unpatched (0-day) vulnerability in WordPress or some plugin, but it’s more likely they got in through a vulnerability in Apache or PHP because I haven’t been as diligent in keeping those up to date. I updated them fairly recently–a couple of months ago–and that wasn’t good enough. So my blog sent a few links to payday loan sites until I reverted the two files. Since I cache, I didn’t send as many as the attacker intended, but that’s not my problem.
The trouble is that it’s possible to scan the entire Internet in a matter of hours, so security by obscurity doesn’t exist anymore. When an attacker learns about a flaw in any piece of software, it only takes a few hours to find vulnerable systems, then attack them and get what they want.
The days of going for years without updating a web server and getting away with it are over.