I was alerted by M.C. DeMarco on Sunday to an issue with twinery.org. Namely, the home page was serving up malware in one of its JavaScript files-- the little script that shows the screenshots at full size when you select a thumbnail. That's pretty bad. (To be honest, I am not sure of all the bad things that malware may have done. You can examine a copy of it on the Wayback Machine. What I saw it do was, after I clicked a link on the home page, pop open an ad under my browser window.)
After investigating things, a number of other things accelerated things from pretty bad to intensely bad:
- Judging from the Wayback Machine, the twinery.org home page began serving malware sometime in July of this year.
- I could not determine exactly how the malware got on the site in the first place. My best guess currently is that I didn't update one of the software packages on the site in a timely enough fashion and someone took advantage of that, but I don't know for sure, and I don't know how to be sure.
The one silver lining was that the issue appeared to be contained to just the home page. The online Twine editor, in particular, was untouched. The downloadable versions of Twine 2 are hosted at Bitbucket.org, so those were not in any danger, and I've run virus scans on the Twine 1 installers hosted on the site, which have come up clean.
I deleted the malware that same day, but given that someone had the ability to edit files at will on the web site for several months, stronger measures were called for. Conventional wisdom holds that the only way to be sure that there were no nasty surprises in store was to rebuild the server from trusted sources.
This caused some plans I had been making to accelerate. For the past several months, I've been discussing the possibility of moving twinery.org to an Interactive Fiction Technology Foundation server with the rest of the IFTF board (I am also a member). Up until now, the web site had been hosted on Dreamhost shared hosting. Dreamhost has been generally great--in particular, I am a fan of how easy they make it to enable Let's Encrypt on a web site--but occasionally the site would go down for 15 minutes or so, and the best answer customer support could give me was that it was consuming too many resources and had been shut off temporarily.
So, I reasoned, if I'm going to rebuild the server, I may as well do it once, not twice. Tonight, we switched twinery.org from Dreamhost to a server that IFTF operates.
It has, unfortunately, not been a completely smooth transition. We weren't yet prepared to migrate the active email addresses on twinery.org (I have a couple for administrative purposes). In order to make this kind of halfway change, I had to first turn off the Dreamhost site hosting, then point the domain name to the new server in Dreamhost's control panel.
The upshot of this is that for a while, you may see twinery.org displaying a cute Dreamhost robot that's fallen over. Hopefully the change will propagate quickly, but if it hasn't, your patience is appreciated. I wasn't expecting this to happen--I thought the cutover would be seamless--but I hope this won't cause too many problems for anyone.
If you do see other issues with the web site, please drop a line to @twinethreads. I usually check in on that account at least once a day.