Ministry Watchman Hacked and HighjackedPosted: January 21, 2007 Filed under: Uncategorized 32 Comments
Sometime around 3:00 PM yesterday the Ministry Watchman site went down. It didn’t take me long to figure out that the site had been hacked. When I tried to log into the hosting server my password didn’t work. When I tried to reset the password that didn’t work either. I called the hosting company and had to spend a good deal of time on hold in the phone queue to get to a tech support person.
Tech support verified that the site had been hacked and all the WordPress application files had been deleted. Thankfully the hacker wasn’t able to get into the database files, although it wouldn’t surprise me if he was in the process of working on that too.
After verifying that the site had been hacked I sent emails to several other bloggers who have been covering the same story that we have (yes, I think there is probably a connection), as a warning:
About an hour ago the Ministry Watchman site went down. Here’s the only thing that now shows up:
The requested URL / was not found on this server.
Apache/1.3.31 Server at ministrywatchman.com Port 80
I’m on the phone right now with our hosting company. They verified that the site has been hacked. My password to the server no longer works. They’re trying to figure out how it happened. It’s hosted on a Linux server which they tell me is more secure than Windows servers. All of the WordPress application files have been deleted. Thankfully the database tables are still intact.
The hacker also got into the server control panel, unlocked the domain name and transferred it to a “George Gilbert”. They can’t tell me now how long ago he actually first got in. I don’t know how quickly the Whois info updates, but as soon as I get full access again I’ll be changing it back.
He used an email address of firstname.lastname@example.org. Tech support has relocked the domain name so that it can’t actually be transferred. They’re going to reset username and password so I can get back in. The hosting company maintains backups and hopefully they’ll be able to get everything back online tonight.
They’re going to try and figure out how this happened, but right now they’re just not certain. I’ll reset my server password to something a whole lot tougher to hack. I’d recommend you all do the same. Also, be sure you don’t use the same password for WordPress as you do for accessing your server.
Tech support tells me that they’re aware of some security vulnerabilities in WordPress and advised upgrading to the latest version. Considering the present climate I’d urge you all to take added precautions.
I’ll update you as I get new info. If you feel it would be beneficial to post this on your blog you have my permission. You’re also free to forward this to anyone that you think needs to see it.
It’s now almost 24 hours after I first noticed that the site had been hacked. I’ve regained control of my server account. The hosting company was able to restore the application files from a backup. However, that didn’t resolve other technical problems that were created by the hacking, so they had to spend additional time resolving those things too. I’ve had to go through my account settings and put them back the way they were. Whoever this George Gilbert is he put a lot of time and effort into trying to steal my site.
I’ve asked the hosting company to investigate this. If George Gilbert could do it once he may be do it again. Hopefully the hosting company will be getting back to me with additional recommendations on beefing up security. I also welcome input from any technically savvy webmaster types.
This obviously isn’t just the run of the mill hacker. As far as I know the typical hacker doesn’t try and also steal domain names. This is someone who’s probably a “professional” and someone who intends to steal my entire site. That would be the only logical reason why George Gilbert attempted to transfer the domain name.
Needless to say that’s a criminal act. I’m weighing my options.
I’ll leave it to others to speculate about who’s behind it.