My web­site has been defaced twice in the past few days. Yes­ter­day, i checked my site for the first time in a while (some­one has to look at it) and was very sur­prised to see that my home­page had been replaced by a plain white web­page with the text “defaced by YELLOW MOUSE” and a photo of a yel­low stuffed ani­mal (pre­sum­ably a mouse). Here is a copy for the curi­ous.

Well, I changed my pass­words, removed a cou­ple of old ftp accounts and looked for any obvi­ous secu­rity holes. I had no unse­cured upload scripts, anony­mous ftp accounts, etc. My host­ing ser­vice has links to ftp logs for my web space; either they don’t exist or I am unable to access them. The FTP stats don’t show any activ­ity this month… I’d worked all day and I have a cold so I decide that I have done all I can for the time being. I replace the defaced page with an old copy of my home­page and go home for the day.

This morn­ing I dis­cover my site has once again been defaced. Unfor­tu­nately, my phone starts ring­ing early and doesn’t stop until mid morn­ing. I was hop­ing work would be quiet today so I could take a closer look at this prob­lem. O well – that’s what lunch breaks are for.

(excuses: )

I have been bested (and a bit embar­rassed). I have not inten­tion­ally writ­ten any inse­cure scripts, I acknowl­edge that I am by no means an expert on php. Most of the php on my site is between two and three years old. I def­i­nitely didn’t know what I was doing when I first started learn­ing php three years ago, so it won’t sur­prise me if I find some­thing stu­pid in my code. I guess I will spend my evening going over every script. In hind­sight – I prob­a­bly should have done this yesterday.

(pass­ing the buck: )

I also sus­pect other people’s code. My host­ing ser­vice pro­vides sev­eral con­tent man­age­ment and blog­ging appli­ca­tions. While I do not use any of them, I have installed sev­eral and I am cer­tain they have not been kept up–to–date. Need­less to say, I will be remov­ing any code that I didn’t write. I believe I will also look for a host­ing ser­vice that pro­vides sftp or scp access.

(cry­ing uncle: )

What ever the case is – I want to thank the per­son who has dis­cov­ered this exploit for not being destruc­tive or doing any­thing vul­gar. If you’re inter­ested in help­ing a guy out – I am dying to know how you gained access. I am not rich, but if you could shoot me an anony­mous email, maybe I could fig­ure out some kind of reward in exchange for your knowledge.