Hacked

Oh dear, this is embarrassing. The web server that sits in our DMZ at home got hacked this afternoon. They replaced our photo albums with a "you've been hacked" page and left some other nasty little bits of software lurking elsewhere on the server. It's taken me most of this evening to clean the mess up.

The hackers claimed to be based in Turkey. They got in via an application we were running called Ol'Bookmarks. It required register_globals to be turn on, which is always a risk, and it turns out that the application is fundamentally insecure. A carefully crafted URL allows the hacker to run code from a remote server and then in turn allows them to run arbitrary PHP code on your local server. Nasty.

It's obviously a known hack. You can see from the server logs that people are using Google to find servers running Ol'Bookmarks (of which there are quite a few, although numbers are now dropping fast). They're doing it from a variety of countries too, not just Turkey, so it's a known exploit.

Anyway I've taken Ol'Bookmarks off our server and submitted a bug report.