My web site was hacked tonight - not sure how it was done, my guess is that the password was too easy to crack. The new one isn't, I hope.

Fortunately nearly everything was backed up, so fixing it was basically a matter of deleting the files that had been modified (every instance of index.htm throughout the site was modified and write protected) and replacing them with the backup. The one exception was fortunately a file whose text was on a message I posted to my blog last year, so it was easy enough to recover the text and convert it into the HTML.

No moral here, except keep your passwords complicated and your files backed up!

Later - turns out this was a server-wide hack, which in a way is reassuring - the hosting company was the problem, I haven't been individually targeted, and they've now fixed things.

Marcus,

Ouch! It's a good thing you had those backups!

I'm sure you already know everything I am about to type, but for the benefit of those reading who might not be as computer savvy, I thought it couldn't hurt to write up a password primer.

A good password has the following characteristics:

- It is at least eight characters long. (Any shorter and it could be broken in a reasonable amount of time with a brute force attack.)
- It contains upper and lower case letters, at least one digit, and, if permitted, at least one special character.
- It is NOT a word in the dictionary (English or any other language), or a word followed by a single digit. (Otherwise, it could be broken with either a dictionary or a hybrid dictionary attack.)
- It is NOT anything personally identifiable to you (your userID, name, birthday, driver's license number, etc.) or to your family or friends.
- It is changed on a fairly regular basis.
- It should be obscure to everyone else but easy for you to remember, since you should never write your password down.

One way to generate a password is to use the initial letters of a phrase you can remember, and then tweak it. The phrase could be the lyrics of a song, a quotation, or any other phrase you could remember. But don't use one that anyone knowing you would be able to guess with a little research, or that anyone would be able to guess based upon your interests as expressed on your Facebook page, in your tweets, on your website(s), etc.. For example, no one on this list should base a password on a well-known phrase from Lois & Clark. A good password might be Mha1l.Ifwwas. -- It is sufficiently long and it includes two capital letters, a number of lower case letters, punctuation, and a digit (the number one). It would be easy to remember because it is based on a nursery rhyme. ("Mary had a little lamb. Its fleece was white as snow.") Of course, this wouldn't be a good password for anyone known to have a passion for nursery rhymes; but otherwise, it would be extremely unlikely to be guessed based on anyone's knowledge of the password holder.

Joy,
Lynn

All the same, it can't have been pleasant. I hope your hosting company learns from this attack and provide more effective defenses in the future.

Joy,
Lynn

It's the first in three years or so, so hopefully they're reasonably careful - they have a pretty good reputation and I've been very happy until this happened.

I've had that happen on a few servers I support. The important thing to remember on shared servers is to make sure your files aren't writable by the world (777 or rw-rw-rw-/rwxrwxrwx). It makes it that much easier for hackers to overwrite your files. It's not foolproof, but it does help.

Marcus, I'm sorry that happened to you! I am glad you were so smart to have back ups. My yahoo email was hacked in sense that over the last month, it began generating spam to all my contacts. Not fun. Good luck with your improved site.

Mona