I run several websites off of my one Linux server sitting here in my house. I try to keep it reasonably secure: it’s behind a firewall with a limited number of open ports, I try to keep my software somewhat up to date, and I install code to intercept blatant attempts to spam or attack my site.
Unfortunately, I do maintain my server in my spare time, and I don’t put a ton of effort into it. I realized a couple of years ago that my PHPNuke based sites were vulnerable. The code itself is full of security holes, and is famous for providing numerous avenues of attack…particularly via SQL injection.
In the past five years, my site or my server has been compromised several times. Every incident started with SQL injection via one of my PHPNuke sites. A few years ago, I migrated my main blog to WordPress, and it has been rock solid ever since…but the other sites are still vulnerable.
During the worst such occurrence, the attackers actually managed to use this method to install a piece of software that allowed them to launch a terminal session. From there, they successfully used my server for several days to send spam emails. It was intriguing to follow their trail 72 hours after the fact and see what they had done.
My server is a lot more secure now than it was in 2003 when that last major attack occurred. But my system is constantly being probed for vulnerabilities. The latest intrusion was about two weeks ago- again, via PHPNuke and SQL injection. I had that vector basically plugged for a couple of years, but apparently an update to PHPNuke unlocked the door just enough to permit a relatively minor intrusion. This time, the bad guys installed a single pixel iFrame in the footer of one of my websites that attempted to launch a browser trojan impacting the visitor’s machine. I cleaned it out within 24 hours of it being installed, and re-applied patches to PHPNuke that supposedly close the door once again.
Since that day, my server has been brought to its knees three times in a row by what, based on the limited information I can gather, appears to be a very crude denial of service attack. It could just be a coincidence, and I certainly could be reading the evidence incorrectly. But it does make me wonder: why would someone put any effort into trying to compromise my tiny little server? What is the point?
Like the subject for this post says, the Internet is a weird place.