Hi,
Thought you might get a kick out of this. It happened a few days ago.
A couple years ago I set up a small database to hold the Portfolio information
(we're an ad agency) of the company I work for. It had categories like Posters,
Billboards, Logos, Jingles, etc. and examples of each. The PHP/MySQL backend
fed the info to a Flash file, which displayed the text, graphics and
multimedia.
I was quite a bit less experienced then than I am now and decided not to
password protect the directory I use to administer the database until the
development was finished. There was no real data in it yet, so why bother?
Needless to say, I forgot to password protect it, even after I entered the live
data.
Skip ahead to last week.
My boss asked me to look at the Portfolio. It seems he was demonstrating it to
a client and it was empty. Checking the DB from the command line, I realized
all the data was gone. "Someone hacked the site!", was my first thought, but I
quickly re-discovered that there was no password protection and my heart sank.
"They just guessed at the URL and deleted everything", was my next thought. But
I thought it weird that they'd delete everything, but not add a category like
"Windoze sux0rs!" or something equally witty. I checked the logs, vowing to
make the bastards pay. I found they did it about 2 weeks previous and noted
their IP. I also noticed their browser was "ia_archive r", which rang a bell but
I couldn't quite figure out where I knew that name. On to ARIN to look up who
the IP belongs to... Answer: Alexa Internet. "Alexa" sounded familiar too.
They make the toolbar I use to help track our sites' popularity. I wondered if
they were also an ISP. Probably not, they didn't have many IP addresses.
Then it hit me: the Alexa toolbar sends to Alexa the pages you visit. An Alexa
bot then crawls the sites you visit and ranks them. The "delete" button on the
portfolio script was a simple link, with only a Javascript confirmation (I'm the
only one who updates the portfolio, so why bother with real buttons and a real
confirmation screen?). So no JS means to confirmation. The Alexa bot crawled
the site and deleted every damn record and I was the one who not only left the
door open, but showed it where it was...
Happy Ending: our hosting company had backup tapes. They sent me the files, I
installed them and everything's back up and running.
Oh, and I set up password protection :o)
Shawn
--
Shawn Wilson
shawn@glassgian t.com
Thought you might get a kick out of this. It happened a few days ago.
A couple years ago I set up a small database to hold the Portfolio information
(we're an ad agency) of the company I work for. It had categories like Posters,
Billboards, Logos, Jingles, etc. and examples of each. The PHP/MySQL backend
fed the info to a Flash file, which displayed the text, graphics and
multimedia.
I was quite a bit less experienced then than I am now and decided not to
password protect the directory I use to administer the database until the
development was finished. There was no real data in it yet, so why bother?
Needless to say, I forgot to password protect it, even after I entered the live
data.
Skip ahead to last week.
My boss asked me to look at the Portfolio. It seems he was demonstrating it to
a client and it was empty. Checking the DB from the command line, I realized
all the data was gone. "Someone hacked the site!", was my first thought, but I
quickly re-discovered that there was no password protection and my heart sank.
"They just guessed at the URL and deleted everything", was my next thought. But
I thought it weird that they'd delete everything, but not add a category like
"Windoze sux0rs!" or something equally witty. I checked the logs, vowing to
make the bastards pay. I found they did it about 2 weeks previous and noted
their IP. I also noticed their browser was "ia_archive r", which rang a bell but
I couldn't quite figure out where I knew that name. On to ARIN to look up who
the IP belongs to... Answer: Alexa Internet. "Alexa" sounded familiar too.
They make the toolbar I use to help track our sites' popularity. I wondered if
they were also an ISP. Probably not, they didn't have many IP addresses.
Then it hit me: the Alexa toolbar sends to Alexa the pages you visit. An Alexa
bot then crawls the sites you visit and ranks them. The "delete" button on the
portfolio script was a simple link, with only a Javascript confirmation (I'm the
only one who updates the portfolio, so why bother with real buttons and a real
confirmation screen?). So no JS means to confirmation. The Alexa bot crawled
the site and deleted every damn record and I was the one who not only left the
door open, but showed it where it was...
Happy Ending: our hosting company had backup tapes. They sent me the files, I
installed them and everything's back up and running.
Oh, and I set up password protection :o)
Shawn
--
Shawn Wilson
shawn@glassgian t.com
Comment