After 4 weeks of downtime my sites are online again. My server was breached and I had to go through 15 GiB of backups to clean out corrupted files - including quite a few obfuscated PHP files.
The corruption vector was most likely either an old mysqldumper instance I hadn’t used for years (and forgotten about) or a vulnerability in Drupal 6.35 which I had underestimated and delayed because I had No Free Time™.
The corrupted files are gone now, along with the mysqldumper instances and any other dynamic code I no longer use, and my Drupal instances draketo.de and 1w6.org are updated. The databases seem to be unchanged (lucky me — fixing them would have been a major pain).
Luckily my provider (all-inkl) pulled the plug on sunday, 21th July 2015. They provided me with their backups and lists of corrupted files their scanners found and disabled. Then I asked them to keep the account offline till I finished cleaning up and sent a breach-notification via twitter and G+ (my self hosted GNU social instance at sn.1w6.org naturally went down with my account):
During the 4 weeks I kept writing now and then on my Freenet site which could still be accessed over my homeserver: random_babcom. Commenting stayed possible over Sone which I also use as platform for comments here (via babcom) — install Freenet with Sone to see an example at the bottom of this page.
My most recent articles were still available via the latest good version of draksites (RSS mirror) — in Freenet you can jump back to older versions of sites, as long as they are still available. They stay available as long as people access them.
It irks me that this happened just before the three weeks in which my wife and children were on vacation. I had quite a few things planned for that time - like transcribing and translating my talk about Freenet for the SUMA award (to provide english subtitles) and hacking on OpenBazaar to make it use Freenet as backend, because I consider that combination as the best solution for a decentralized market system: Real anonymity without publishing cost and with spam resistance restricts the power of cartels, while police can still track people by regular investigation legwork. Most of that time went down into fixing the site and avoiding to work on fixing the site.
At least I got some writing done for pyFreenet: Freenet Communication Primitives, Part 1 — how to use Freenet as communication backend for your programs.
This is the breach notice I wrote:
My hosted server and all my websites have been breached. This includes https://draketo.de https://1w6.org and https://sn.1w6.org
I’m sorry that i did not manage to protect them better. I’m working on restoring them and then tightening their security.
Meanwhile you can access updates from me via Freenet: https://d6.gnutella2.info/freenet/USK@sUm3oJISSEU4pl2Is9qa1eRoCLyz6r2LPkEqlXc3~oc,yBEbf-IJrcB8Pe~gAd53DEEHgbugUkFSHtzzLqnYlbs,AQACAAE/random_babcom/52/
The most recent entries from draketo.de 1w6.org and sn.1w6.org are still available in the in-freenet RSS copy: https://d6.gnutella2.info/freenet/SSK@y24LRrc2iTFC6eZNvi8uyNC7PBmAe8QAw51XIduangQ,85Y56-on-J9iezqatRyLhsPD5GAU96zCpw1T2Fcvdik,AQACAAE/draksites-383/
If that inproxy should go down, too (or just cannot take the traffic), just install Freenet ( https://freenetproject.org ) and use the following local links: - http://127.0.0.1:8888/USK@sUm3oJISSEU4pl2Is9qa1eRoCLyz6r2LPkEqlXc3~oc,yBEbf-IJrcB8Pe~gAd53DEEHgbugUkFSHtzzLqnYlbs,AQACAAE/random_babcom/52/ - http://127.0.0.1:8888/SSK@y24LRrc2iTFC6eZNvi8uyNC7PBmAe8QAw51XIduangQ,85Y56-on-J9iezqatRyLhsPD5GAU96zCpw1T2Fcvdik,AQACAAE/draksites-383/
It’s ironic that I write this after complaining that our parliaments IT has been breached.
Sorry for the 4 weeks of downtime. My sites are part of my hobby, so I cannot always invest as much time as I’d like to, and since I started my PhD I can no longer stay up to date with all potential threats. I’m already happy that my server is managed by my hoster. I wouldn’t want a self-maintained server for my sites right now.
⚙ Babcom is trying to load the comments ⚙
This textbox will disappear when the comments have been loaded.
Note: To make a comment which isn’t a reply visible to others here, include a link to this site somewhere in the text of your comment. It will then show up here. To ensure that I get notified of your comment, also include my Sone-ID.
Link to this site and my Sone ID:
This spam-resistant comment-field is made with babcom.