We've been hacked. Pride Before The Fall. Part II of ongoing saga
grrrrrrrrrrrrrrrrrrr.
(translation: bad news to follow)
In my previous post about being hacked I made some naive assumptions:
- The hackers just took advantage of an improper setting in the admin section of the content management system (the system that manages the website; In this case it was phpizabi).
- Therefore, magically, it would be easy to fix.
Side note: I would like to say again that the hack did not
effect our search engine or hot search archive. It only effected some content
pages on a site that was under development.
After contacting some other phpizabi users who had been hacked I found out that we were in trouble. I was hoping that I would find people who had fixed their sites and could set me on the right path toward fixing mine. I even contacted one guy who had been a volunteer helping with the development of phpizabi, unfortunately this is what he had to say:
"Hey Tori,
I got two sites that were hacked.
I didn't fix my sites,I dropped Izabi."
Not the encouraging news that I was hoping for. But there is a bright side.
- The hackers were targeting PHPizabi systems specifically so they are not likely (we hope) to try to hack any of our other content management systems. Even better, our phpizabi system was on a different site because we were still working on it so they probably do not even know about Nipponster.com.
- We still have all of the content that was previously on the site that was hacked (live internet broadcast Japanese tv stations and radio, Japanese language tools; everything that was there before content-wise)
- We can put that content without too much effort onto a new content management system which will hopefully be more secure.
So, James and Keitaro have commissioned me to get to work on that right away, "thanks a lot guys" :)
I need to find another webmonkey to help me...
Anyway. Let me show you now how the hackers targeted us.
This is a log of searches that directed people to our site:
As you can see, someone (the hacker) was searching "phpizabi r3" which is the name and version of our content management system for that site we were developing.
So that is how they found us (and others running on phpizabi), they came specifically to take advantage of a hole they found in that system.
What I do not understand is, why would the hackers make our page refresh (switch) to a message that shows the URL of their site? Like I said in my past post that is how I found out, on google, about the others who were hacked. And it is how I found out that their site's domain name is registered with godaddy.com
I contacted Godaddy about their activity, which is clearly against it's policy:
"...Go Daddy reserves the right to remove sites that contain information about
hacking or links to such information."
Which brings us to the topic of Part III, "Protecting yourself from hackers
(with honeypots, etc.)"
stay tuned...
-Tori
Labels: we've been hacked
posted by Nipponster Staff at
5:26 AM
3 Comments:
I doubt Godaddy is going to do anything about them.
I don't know. But I found this article about Godaddy taking down SecList.org (http://www.sfbg.com/entry.php?entry_id=2784&catid=4&volume_id=254&issue_id=287&volume_num=41&issue_num=25)
after MySpace requested it.
I think that this was a mistake since SecList is not (as far as I can tell) about security cracking and they do not go around destroying sites like my Turkish "friends."
But it shows that Godaddy does take action. I just hope that they still do despite the bad publicity after this SecList debacle
oops. I meant SecLists (with an "s" at the end.
Post a Comment
Subscribe to Post Comments [Atom]
<< Home