On my recent upgrade of php to 5.3, gentoo created a new slot so that people could run 5 and 5.3 in parallel. Gentoo is always giving you options (can you handle it? “ask yourself, do you feel lucky, punk?”). As usual, you must proceed with caution. And as usual, you will probably learn something along the way. This time around, the lesson is on php.ini defaults. (continued…)
I love my websites and servers and applications. I expose a lot of my toys on the internet, because it’s FUN and USEFUL. I try to apply the 80/20 rule in getting things done, doing 20% of the security I should to achieve an 80% benefit. I don’t have time to “do it right”, if that’s even possible. I know this is a terrible approach to network security, but it is my conscious choice. There is fun to be had.
The approach burns me on occassion, but I get by. I’ve been hacked twice in 10 years, not a bad record considering my approach. The second hack occurred recently. Some poor bastard in backwoods Russia or God-knows-where has been scanning and hacking WordPress sites with a backdoor approach to adding admin accounts. Once the admin account is set up, they inject redirection scripts into the php template code.
I have not taken the time to install all the WordPress updates the moment they come out – classic example of my slacker approach to security. So at some point in time, I got hacked. The sad part is that I did not even notice it until much later, when Firefox’s automatic malware detection kicked in and Google and StopBadware.org started denying me access to my own site.
Apparently the injected code had the capacity to install malware – not that I would know, being a linux user. The cleanup involved purging all the injected php code, which was obfuscated with “eval(base64)” wrappers, and removing the hacked WordPress admin accounts.
The fact that I was potentially adding malware to the computers of people visiting my websites is enough to make me physically ill. Some of that paranoia and obsession required to achieve a moderate level of security has surfaced. My WordPress and Mediawiki sites are too rich and chock full of functionality for me to personally do any real level of guarantee of security – I have to rely on the popularity of their code base and assume issues get caught quickly. But the least I can do is upgrade them whenever a new stable release is available. Generally speaking, this is what keeps me on the internet, and it is no longer an optional activity.
The only other flaw in my setup of which I am painfully aware is due to virtual hosting restrictions. I do a LOT with my one little IP and my one little server (including truly free truly legit SSL), but I cannot host more than one SSL virtual site on port 443. Just “the way things are”. I need to be diligent about redirecting secure traffic through the one configured SSL domain. But this is never easy.
The silver lining: the WordPress iPhone app now works! The pace of blogging should now improve from glacial to very infrequently. :>