A note on my cyber attack and communications

For those of you trying to submit stories and/or contact me via WUWT, that won’t be possible for a couple of days via normal methods. My office experienced a cyber attack/hacking today.

WUWT is hosted on wordpress.com, and not served from my office network, so was not affected. But, one server for communications that also serves WUWT was.

One of our primary servers is now offline, and it handles our mail and messaging system. This particular server got compromised because one account had a weak password. While that machine was compromised, fortunately the problem didn’t spread (we think) thanks to it being isolated from other parts of our network and having a different password than other systems. That’s a lesson to anyone running multiple systems – use diverse and strong passwords.

That server is still offline, and I expect our email will be down for a couple of days. It was used to turn into a spam factory overnight and now our network is on several spam lists, thanks to over half a million spam emails being sent, so it will take us a couple of days to get all that cleared up. While we can restore from a backup, all that spam sent out has caused us bigger problems .

Posting on WUWT might be light also until we get the problem solved and get security checked on the rest of our machines.

The attack looks to be unrelated to WUWT, and seems to be just another spammer looking for a machine to take over.

For those that need to contact me, or submit a story, see this:



UPDATE: as of about 10AM PST this morning, we have everything back to normal and we can receive email, but sending email might still be hampered by our network being put on SPAM blacklists. Clearing that will take a couple days.


0 0 votes
Article Rating
Newest Most Voted
Inline Feedbacks
View all comments
November 12, 2013 9:26 pm

Sorry to hear, Anthony….a sign of the times. Take care, CRS

John F. Hultquist
November 12, 2013 9:27 pm

If this means we will miss news of the climate conference in Warsaw – that’s good.
Okay, sorry. These sorts of things vary from little to big pains. Yours is a big one. Hope you realize how much you are appreciated. Cheers.

Colorado Wellington
November 12, 2013 9:28 pm

Anthony, sorry to hear about another unneeded distraction. Thanks for the note and take your time to do it right.

November 12, 2013 9:31 pm

I hope things go smoothly and I’m glad it wasn’t worse.

William Nichols
November 12, 2013 9:50 pm

Ditto. We appreciate you my friend.

Richard D
November 12, 2013 9:51 pm

Painful, and costly in time/money. Thanks for all of your efforts. Good luck.

November 12, 2013 9:55 pm

Sorry to see you experiencing hacking problems – yet to be honest it surprises me you haven’t to this point in time however obscure the attack. It appears you are lucky you have a diverse system very well split up into different components – this will take a fair amount of time to fully sort out this mess.

November 12, 2013 9:59 pm

You’re the best.

November 12, 2013 10:06 pm

One wonders. It would be a shame to tar too many with the brush, but I experienced similar problems after a lengthy discussion with true believers at Weather Underground. The modelers, for all their analytical faults, have exceptional computer skills. All it takes is one who truly believes they are saving the world…
REPLY: I don’t see any connection between this to them, or climate activism whatsoever. The hacker turned the machine into a spam factory – Anthony

November 12, 2013 10:51 pm

Hi Anthony, really sorry to hear about your problem, exactly the same thing happened to me a few months ago. It caused me a great deal of trouble, including the need to visit the local Apple Store to get my iPad reset. The man at Apple said he had never seen such a strong password, so how the Taiwanese hacker got into my account, I don’t know. I still get e-mails (directed to my Spam folder) in Taiwanese! I used a combination of upper and lower case letters, numbers and characters based on past car registration numbers. The cars were scrapped years ago, so the number plates died with them. Why they picked my account and how they decrypted the password is a total mystery to me?

Greg Goodman
November 12, 2013 11:10 pm

Bishop Hill is also reporting all comments are falling into a black hole (except for registered commenters).

Steve C
November 12, 2013 11:20 pm

Very sorry to hear about this – very best of luck sorting it out and rebuilding.

November 12, 2013 11:21 pm
Greg Goodman
November 12, 2013 11:21 pm

“This particular server got compromised because one account had a weak password.”
And did that particular account have admin privileges?
If not just create another account and remove the compromised user. If it did manage to escalate to a full admin take-over you should probably consider using a less vulnerable operating system.

November 12, 2013 11:39 pm

Anthony, I guess you might have already seen this, if not, please give it a try. It seems to give good advise on how to achieve secure passwords. The link is https://www.grc.com. Apparently the secret is length, not complexity.
Peter Melia

November 13, 2013 12:07 am

All my servers use fail2ban – more than 3 failed attempts to login throw the attacker into jail for an hour, they are firewalled completely out. Trust me, it’s difficult to brute-force a password when you only get 3 tries per hour. Also, I have firewalled out entirely the 5 countries that most cyber attacks come from, with the geoIP list updated weekly.
One thing I’ve had a difficult time doing is blocking proxies, like “hide my ass”, but they have two ridiculously easy ways to detect them that most people haven’t figured out yet. Every time a new one appears it automatically ends up in a ban list for 30 days.
Internet security is a moving target, you will never just have a secure system that you can walk away from (unless it’s powered off or has no outside access, which defeats the whole purpose).

November 13, 2013 12:23 am

Many of the tens of thousands of people on 1and1.com are blacklisted this week as some spammers got into some 1and1 servers.

James Bull
November 13, 2013 12:28 am

Hope you get it all sorted soon.
Take Care
James Bull

Peter Miller
November 13, 2013 12:37 am

Speaking as someone whose website was hugely hacked, we eventually found that it was not targeted at us, but seemed to be some kind of malicious random attack emanating out of the Far East.
However, the conspiracy theorist in me says: there is so much money swilling around in the global warming troughs, and so many careers dependent on the continuation of the current system, that it it is not impossible that someone has taken action against the world’s most influential site trying to empty those troughs.

November 13, 2013 12:45 am

andrewmharding says:
November 12, 2013 at 10:51 pm
Hi Anthony, really sorry to hear about your problem, exactly the same thing happened to me a few months ago. It caused me a great deal of trouble, including the need to visit the local Apple Store to get my iPad reset. The man at Apple said he had never seen such a strong password, so how the Taiwanese hacker got into my account, I don’t know.

I’ve read that some hackers spread malicious applications. Here is something else more recent, it concerns hackers using the camera and microphone of smartphones.

11 November 2013
“The software watches your face via the camera and listens to clicks through the microphone as you type.”

November 13, 2013 12:47 am

@Anthony Watts,
Please tell me you are NOT using Windows as your (personal/private) server operating system!!

Man Bearpig
November 13, 2013 12:56 am

Anthony … If you use remote desktop on the server (assuming it is a windows machine) use something like RDPGuard it is anti hacking software and blocks an IP after so many bad passwords. if you don’t use remote desktop or have not heard of it, make sure the service is turned off this is how a lot of machines get hacked and malware installed.

November 13, 2013 1:30 am

Actually, php.net got hacked too… and that’s a big one.

Mike McMillan
November 13, 2013 3:18 am

Nothing like going to your own web site and having the Norton “Malicious Website! Do you wish to proceed?” banner pop up. Serves me right for having a seven letter noun from page 984 of the dictionary for a password.
I ftp’d into the site and found several of my class reunion pages had javascript files inserted. Cleverly, they were convoluted js files that wrote the actual malicious js files, and you’d have to run them to see what they really did.
So now I have a triply-quantum-encoded password on the site. I just wish I could remember where I wrote it down.

November 13, 2013 4:51 am

Being in the business, it is a constant battle. And it does not matter if you are following every precautionary rule, they always find a new vector to attack you at.
Good luck on the restoration. That is the hard part.

Mike Freeman
November 13, 2013 5:11 am

Folks, it doesn’t matter what operating system you use, you cannot avoid this kind of attack if an email account has a weak password. As an IT consultant, I see it all the time; an email account with a weak password is hacked and that account is used to relay spam through the mail server. All of this speculation by wannabe network experts about this OS or that is silly.

November 13, 2013 6:00 am

A good article on password generation.
An alternate method for such

November 13, 2013 8:08 am

Ah Ha! So YOU’RE the one so interested in the size of my Johnson! /sarc
Seriously, these &^$$^&^&’ers have hacked the SBCGLOBAL server many times. I have a pretty solid password(s) and have them go through a the server a few times to send out spam. I can only imagine how it must feel at 100x the headache. Don’t you just wish you could plant an e-bomb that would trace back to their server and explode when this happens? Best wishes Anthony!

November 13, 2013 8:36 am

I do some work with the FBI via their Infragard collaboration, we get cybercrime briefings regularly. This site has good information: http://www.fbi.gov/about-us/investigate/cyber

Steve from Rockwood
November 13, 2013 9:49 am

We had a similar problem through 1and1.com a few years back. Impossible to trace the origin and hard to fix. It was suggested we use a password that “no one else would even consider”. I was going to go with ilovealgore69 but just couldn’t bring myself to typing it in. Yet somehow, I feel less at risk.

November 13, 2013 10:33 am

“That which does not kill us makes us stronger.”

~ Friedrich Nietzsche

Richards in Vancouver
November 13, 2013 11:13 am

“That which does not kill us can make us awfully sick.”
– Wayne Richards

November 13, 2013 12:01 pm

Re CodeTech:
…blocking proxies… You are blocking a lot of legitimate users. I always proxy to fuzz up Google’s total information awareness of me. Proxy through Amsterdam, all the ads change to Dutch or Euro, etc. I also do other stuff which could profile as a bad guy hiding himself, but good guys have to start hiding themselves in these NSA days.

November 13, 2013 12:47 pm

Actually I have one site that requires geolocation for legal reasons. That’s the one everyone immediately tries to proxy in on. I know the mindset, because I also hate being blocked that way.

Gunga Din
November 13, 2013 1:02 pm

Some sites will ask security questions like “What was your Mother’s maiden name?” or “What was your first car?” or “In what city were you born?”. Those three are common.
Mix up your answers but always use the same “mix” so that you remember what to answer. ie, If they ask for your mothers maiden name, always answer with the city you were born or your favorite color.

November 13, 2013 2:40 pm

That’s Suxnet.

November 13, 2013 2:45 pm

Mike Freeman,
Has it right!
If Anthony is interested I have developed a password scheme and would be happy top share it.

November 13, 2013 9:24 pm

@CRS, DrPH, that is one fine way to do what ? does not sound like a very safe way to advertise a “secure” site. but thanks anyway.

%d bloggers like this:
Verified by MonsterInsights