Early on Halloween morning, members of Facebook’s Computer Emergency Response Team received an urgent e-mail from an FBI special agent who regularly briefs them on security matters. The e-mail contained a Facebook link to a PHP script that appeared to give anyone who knew its location unfettered access to the site’s front-end system. It also referenced a suspicious IP address that suggested criminal hackers in Beijing were involved.
“Sorry for the early e-mail but I am at the airport about to fly home,” the e-mail started. It was 7:01am. “Based on what I know of the group it could be ugly. Not sure if you can see it anywhere or if it’s even yours.”
Facebook employees immediately dug into the mysterious code. What they found only heightened suspicions that something was terribly wrong. Facebook procedures require all code posted to the site to be handled by two members of its development team, and yet this script somehow evaded those measures. At 10:45am, the incident received a classification known as “unbreak now,” the Facebook equivalent of the US military’s emergency DEFCON 1 rating. At 11:04am, after identifying the account used to publish the code, the team learned the engineer the account belonged to knew nothing about the script. One minute later, they issued a takedown to remove the code from their servers.
With the initial threat contained, members of various Facebook security teams turned their attention to how it got there in the first place. A snippet of an online chat captures some of the confusion and panic:
Facebook Product Security: question now is where did this come from
Facebook Security Infrastructure Menlo Park: what’s [IP ADDRESS REDACTED]
Facebook Security Infrastructure Menlo Park: registered to someone in beijing…
Facebook Security Infrastructure London: yeah this is complete sketchtown
Facebook Product Security: somethings fishy
Facebook Site Integrity: which means that whoever discovered this is looking at our code
Full Story: At Facebook, zero-day exploits, backdoor code bring war games drill to life | Ars Technica.