Whew! I just dodged a bullet…

So this morning, a member of a mailing list I belong to pointed out to me that a Web site had reprinted an essay from my BDSM Web page without attribution.

At about 10:40 this morning, I started to write a polite email to the owner of that Web site asking him to attribute any of the material he uses from my Web site.

At about 10:42 this morning, my Web site came under attack from a person or persons who had located a JavaScript injection vulnerability in my guestbook script (which is hand-rolled, so it wasn’t a script kiddie attack).

At about 10:44, I went to my BDSM page to copy the exact URL of the essay the other site owner had “borrowed” without permission. When I went to the BDSM page, an alert dialog popped up that just said “2”.

At 10:45, I took apart the HTML of the page and realized that the intruder had injected a JavaScript into the site that popped up an alert dialog, just to let him know that his injection had been successful.

At 10:46, I reuploaded the page.

At 10:47, the attacker injected a different JavaScript. I don’t know what it was; i overwrote it immediately and reuploaded the page again.

At 10:48, I started examining the guestbook, and worked out how he’d managed to inject the JavaScript.

At 10:49, I disabled all the guestbooks on the page. Simultaneously, the attacker injected a new JavaScript onto the page, just seconds before I disabled the guestbook.

We went back and forth for quite while after that. Somehow, I don’t know how, he’d gained sufficient access to be able to change the httpd path and was trying, I believe, to install a hostile drive-by downloader script on my site. I successfully prevented him from doing so, and closed the holes as fast as he was opening them.

At about 11:15, I closed the injection vulnerabilities in the guestbook and reuploaded it. By 11:20, the attack was over, and I had re-uploaded a clean copy of the affected pages.

Had I not been composing an email to someone who’d used my work without permission, I would not have been on my site at the beginning stage of the attack, and my site might now be home to a malicious JavaScript or JavaScripts.

My heart is still pounding. It’s like PvP in World of Warcraft, only with higher stakes.

I didn’t keep a copy of the pages he was modifying, and I’m kicking myself for that now. In hindsight, I should have, but at the time the only thing I wanted to do was undo his changes faster than he could make them.