Last week one of my blogs running BlogEngine.Net got hacked. Never nice. So, I thought I'd write up what happened, and what I've done about it - and some things you can do if you are running BlogEngine.Net.
Firstly - I love BlogEngine.Net - I love having no database and being able to move the entire site from one host to another with a simple file copy. Very cool. I also like that it is built using ASP.Net web forms - very familiar. Because I love it, I didn't want to change to another engine, I'd rather fix whatever issues I found.
Anyway, the site was defaced, and a bogus blog post was put up. This indicated that the hacker had somehow logged in using my password. Looking through the IIS logs shows that indeed - the hacker found the site by doing a search for "Powered By BlogEngine.Net", found my site and proceeded to hack away. How did they get my password? Why did they target BlogEngine.Net sites?
Well, last month the BlogEngine.Net team found and patched a security flaw that allowed an attacker to get at protected files. I had applied the patch, but to me, it looks like this same method was used to get my password and login. So I suspect my attacker knew about this vulnerability - which is why they searched for BlogEngine.Net.
If you are using or considering using BlogEngine.Net, what can you do to protect yourself? Here are my recommendations:
1) Replace the default membership provider.
The default XML membership provider that comes with BlogEngine.Net stores passwords in a plain text XML file in the app_data folder. Not smart. So consider replacing the default membership provider with one that uses encrypted passwords. Chris has even documented the (easy) steps for you.
2) Add an SSL certificate to your site.
Adding SSL requires that you purchase a certificate (mine cost US$40 pa) which (when installed and used) ensures that your login details are not sent in plain text (note that live writer doesn't encrypt your credentials when it transmits to http based sites).
I also recommend adding requireSSL="true" to the forms authentication config in the web.config file as follows:
<authentication mode="Forms">
<forms timeout="129600" name=".AUXBLOGENGINE" protection="All" slidingExpiration="true" loginUrl="~/login.aspx" cookieless="UseCookies" requireSSL="true" />
</authentication>
This means that authentication tokens (stored in a cookie or sent from a login form) will fail if this is set. If you've been hacked over http and you don't know if the hacker saved the credentials in a cookie (by ticking "remember me"), this will not validate the cookie over http when they next visit.
3) Remove the "Powered By BlogEngine.Net" text at the bottom of the master page.
My site was hacked because a vulnerability in the software package. If I hadn't had the name of the package in the page content, I would have not been found in the google search that the attacker used and may not have been hacked. Why do hackers the favour of telling them what engine you are running?
4) Know that you site is improved and more secure - but not perfect
You can never say your site is hacker proof. You don't know what you don't know. However, removing clear text passwords is a no brainer, SSL is wise anyway and the less you can do to help the hacker the better.
If you have other suggestions for things I can do, I'm keen to hear about them!