Our website is back!

evergreen_web_banner.png

KBOO is open to the public! To visit the station, contact your staff person or call 503-231-8032.


Published date: 
Wednesday, May 23, 2018 - 9:31pm

We would like to apologize to all our website users for the sporadic outages between April 28 and May 23rd 2018. We had the extremely unfortunate experience of having the front-end of our website injected with scripts from bitcoin miners. The security breach was patched, but it has taken us a while to return our site to fully functional. You may still experience some issues over the coming week or so as we continue to restore files and transfer data.

The good thing is that the hackers never accessed the server -  only the database of our content management system.

The auto-archiver of audio was not affected by the hack, shows continued to get archived even while the site is down. Not all audio has been re-attached to episodes, but we are trying to have all the audio re-attached and ready for podcast and download by May 30th.

More info on WHAT happened:
The KBOO website got hacked 4/28. We got the site back up within an hour, after patching the security hole, got rid of the hundreds of scripts that had been inserted into various directories, deleted the tens of thousands of spam users that had been created, and restored the database.

HOW did this happen to us?
There was a security update released 4/26 for Drupal - it was not updated in time before it got exploited by some enterprising hackers that saw we had an unpatched Drupal site (mind you, this was not a security vulnerability that had been known to anyone before last week) and exploited that hole to inject a bunch of code into our site. The hackers did NOT get access to the server, or to our files. Only to the Drupal database - and even that was not access per se, but simply the ability to write files to the database, not to actually see or access anything that is on the database.
And yes, the Drupal patch was applied that day.

WHY us?
The objective of these scripts that were injected into our site seems to be to be part of a cryptocurrency mining scheme - which could be random, or could be that someone suggested our site to the hackers as one they should target. We do not know who these hackers are, but have logs that trace their IPs to all over the world - we are working on figuring it out, but it's not easy to do that.  These hacks are apparently being used to hijack the CPU power of the server to apparently mine for cryptocurrency - see:
https://arstechnica.com/information-technology/2018/05/hundreds-of-big-name-sites-hacked-converted-into-drive-by-currency-miners/
"Multiple security firms have reported that large networks of infected computers and Internet-connected devices are mass-scanning the Internet in an attempt to identify vulnerable websites. When the botnets identify unpatched Drupal software, they run automated scripts that exploit the vulnerability. Besides using the flaw to run scripts that perform drive-by cryptocurrency mining on visitors' computers, the hackers are also installing malware that can carry out Internet-degrading denial-of-service attacks on other sites."

Is the site secure now?

We have implemented numerous security measures to ensure the safety of our site. Our members' information was never in jeoopardy, as it is stored on a separate, secure site. The entire website has been restored from a pre-hack backup version to an entirely new server. We are also continuing to undergo regular vulnerability assessments to ensure the ongoing security of our site. Due to these new measures, our website is more secure now than it has ever been in the past - and more secure than most sites on the internet!


Thank you for your patience - I know how hard it is to be without a website, when we have come to depend so heavily on it for so much of our daily operation. It's not quite as bad as our FM signal going down - but in this era of podcasting and streaming, it is almost as bad!