HAckEd! The Aftermath Blogging 08 DEC 2011

Wonderful, just wonderful. So my online presence was completely down for well over two days at the start of this week, and no, that never points to something good.

The reason? Some silly twit hacked my hosting account for the lulz, and pretty much destroyed everything in sight, just so that he or she could throw up their silly little defacement page featuring some bad music, a picture of a sniper and a link to his ‘security site’. To be honest, I never bothered loading it to see, I just saw the bare code on the pages as I was busy manually removing them, so there may have been a little more. The hosting company (AmpleHosting) picked up on the hack pretty quickly and shut down my account, meaning I don’t think too many people were subjected to what this person obviously thinks is “cool”.

I’m not sure what the attack vector was to gain access to the hosting account, it could be either Joomla, WordPress, Gallery or one of my own concoctions floating around, but the fact of the matter is that the hacker successfully deleted a number of files and folders off the account and managed to inject his replacement defaced page across the various sites. At the moment it points to the work of a script kiddie, but oh well, regardless of their level of skill, the damage was done.

My hosting account plays host to five WordPress sites (http://www.craiglotter.co.za, http://www.codeunit.co.za, http://www.houseofc.co.za, http://www.countingbeans.co.za, and http://www.cookiesandcakes.co.za), one Joomla site (http://www.funakoshikarate.co.za), one Gallery site (http://photos.codeunit.co.za), and a couple of my own homebrew sites like the mobile-formatted http://c.codeunit.co.za, my CodeUnit applications Autoupdate framework, my Adobe AIR applications, as well as the beginnings of my portfolio site.

In other words, a fair bit of things down for the count then.

The damage done by the script was pretty simple. Troll through all folders and delete any “index” or “default” pages it could find. Replace with custom index page in all root folders. Also delete any files named “wp-config” as wells as folders named “wp-admin” or “uploads”, before finally deleting itself (well, I think that this last one is true, as I can’t find a trace of the malicious script for now).

Thankfully, apart from a single username change in the craiglotter.co.za database, it doesn’t appear that the attacker tampered with any of the databases, meaning that to get the WordPress sites back up and running, I needed to download WordPress from its official home, and then upload the wp-admin folder, plus index.php file back into each affected site folder. Finally I had to regenerate the wp-config file using database details for the existing databases held in the account, creating new database user accounts in the process. I have lost some shared images and the like that used to be stored in the Uploads folder, so that does mean that unfortunately you’ll have to bear with a couple of missing items until I manage to root them all out.

I haven’t bothered to bring the Gallery site back up, and will instead trash it and introduce the photos it used to contain into my main craiglotter.co.za site – it makes sense to bring the photos in-house anyway. Already disillusioned with how user-UNfriendly Joomla is, I’ve decided to kill the Funakoshi Karate website and rather create a brand new WordPress site for it (Thank goodness my leave is coming up soon!).

As for the other custom stuff, well, it is pretty much destroyed as far as what I’m concerned. I’m already in the process of recreating the CodeUnit Collections mobile site using jQuery Mobile as a platform, and for the rest, well, I’m just going to pretend they never existed until I one day have need of them again! ;)

Sucky, but that’s how it goes.

On my hosting plan, automatic backups aren’t done, meaning that because I wasn’t keeping up to date with backups, the deleted files are lost forever. The fact of the matter is that I should of course have known better and managed the backup process on a more consistent manner, but the reality is that this remains something I have fun with in my personal time – and it simply isn’t all that high on the list of things to do with what little free time I have available to me!

Anyway, the worst part for me is that this shit is done simply for kicks by one very sad, lonely little individual. *Sigh*, eventually they’ll also grow up I imagine.

Related Posts:

About Craig Lotter

South African software architect and developer at Touchwork. Husband to a cupcake baker and father to two little girls. I don't have time for myself any more.