Lessons in cybersecurity, Part I

Posted on February 18, 2022 security stories

Here's a little story from the trenches, from far far away when I was a kiddo learning my way through webservers, PHP and vulnerable (pirated) bulletin boards software.

👋🏻 Intro

A long time ago around 200* something, I was really interested in game hacking related topics and somehow I got in charge of a big forum in the niche. That was my first intro to PHP and anything web related and while being quite good in C++/assembly and having some knowledge of how to breach software security I had stumbled into a fresh new world.

The forum software we were using at the time (it came before my reign to power 😅) was an old, pirated version of vBulletin, sitting on a Dreamhost shared server using PHP 4 something. I was writing code by downloading the files I needed to edit via FTP, do my changes in Notepad++ and then I would upload them back, and so on a dozen times until it worked. This all happened while users were online. The good times of the mono dev-testing-production environments <3

☕ The morning wake-up call

The actual story begins one morning where I woke up like any other day, I get on at my desk and check my beloved community as I was doing everyday. But strangely this time it was different, a black webpage appeared, with red text and a funky “hacker” image. I checked the URL again, it was correct ... panic!

Not the actual image but something similar. Source: sucuri.net

I quickly jump to my trusty FTP client and open the website’s root folder. I notice that all the files are there still, it seemed that just the index.php file has been replaced. And because I knew no better, I simply replaced the index.php with one I had in backups.

Crisis averted, everything fixed. I even tried my best to change the passwords around and I even upgraded the forum software to the latest version (that I could find), time to move on and see about my day, thinking everything is well and life is nice again. Narrator voice: things weren’t well and life would not be nice for long.

🕛 Next morning, deja-vu

Same as the day before, same routine, same hacked website, same defaced homepage. 😭 I was having a deja-vu, I thought I fixed it, how could it be? Well, it be. I go through the same steps as the day before, I upload my index.php back and go with my day.

This weird dance continued for a couple of days.

🛡️ The guardian cron job

Finally getting fed up with doing this whole dance every morning I come up with my brilliant solution (or so I thought at the time). I thought I should automate this and so I created a script that checked the hash of the index.php and compare it to a well known hash of the original file, if the hashes would differ, then it would copy and replace the whole forum software with the “good one”. I would throw that in a cronjob where it would run my checker script every couple of minutes.

It worked! The homepage never got defaced again, well, I never saw it get defaced again 😅.

Thinking in retrospective, there’s more that I could’ve done, a lot more, but at the same time I was limited by the tools at hand and more importantly, my knowledge. Given the website was on a shared hosting, there was not much under my control but I could have at least looked into the root cause a bit more, investigate and try to understand what happened, before applying my brute-force fix.

Overall this was a good lesson and a good start into cybersecurity, it was the spark that lit my curiosity for this field.