Blimey, this all looks a bit different: what’s happened?

Yes, it does look different, doesn’t it? Why? Well, that’s actually a long story…

During the morning of Thursday 16 September, mrben pointed out that my web site was offline. On checking this out, I realise that the web server process, apache, was not running. “Fine”, I thought, “I’ll just restart it.” It won’t start up because it claims something else is already listening on port 80: the process listening on port 80 is called “/tmp/r0nin”, which to date has been the only think that has caused me to swear outright on IRC: a name like that is very clearly a “script kiddie” program, meaning that someone had partly penetrated the security of my server.

After a lot of research and checking of the system, I believe it boils down to this: Basically, a vulnerability in the software I used for my weblog software (a heavily customised version of b2) had been exploited to kill the apache server (an exploit of the xmlrpc.php posting interface). The version of the software that I was using was sufficiently esoteric that I don’t think any further exploit or intrustion of the server took place. However, to be on the safe side, I decided that it was best to start afresh with a known-clean system: so, I backed up all of my home directory, web server files and so on, then installed a clean image of Debian Sarge. I was planning an upgrade from Woody to Sarge anyway, so this just forced my hand somewhat.

Having got the basic system back online, I made the first task getting email functioning normally. The server handles mail for all our household’s domains and acts as an outgoing, authenticated SMTP server too. Didn’t take too long to do that: exim4 which ships with Sarge is easier to configure than exim3 from Woody. Next, the web sites: I put all the static content back up straight away, since there is nothing to exploit there, but of course I couldn’t just put my weblog back in its previous state: the same vulnerability in xmlrpc.php would be re-exploited in the same way.

So, I needed to find some new software to run my weblog. After a bit of discussion, I decided to go for WordPress because (a) it’s very themeable, (b) it evolved from my previous software, so I would be able (with some work) to keep my old posts and comments, and (c) it’s very widely used and therefore I should get a quick heads-up of any security issues with it.

Installation and basic theming didn’t take long: importing my old content took a bit of database hacking though: although b2 and WordPress have fundamentally the same structure, WordPress has many new features, meaning that the database schema has grown: Basically, I started with my b2 database and then compared it to the WordPress structure, adding in new fields and setting their defaults appropriately. This actually seems to have worked quite well.

The moral of all this is, even if you are using a secure “system”, insecure applications (in this case, the aging and not-security-updated b2 weblog software) can result in a backdoor for intruders.

And there we are. I told you it was a long story. I’m still rebuilding this site somewhat, so there will be tweaks and changes over the next few days, but I think this is basically the new, finished look. In the mean time, there may be some links that don’t work, some old posts which may be formatted a little strangely and some missing images. I will be fixing that, but if you spot anything, please let me know.