(update: site is now up again. thanks everyone)
I woke up this morning to discover my site (the one in my signature) has been hijacked by this hacker calling himself DZ Z3RO. If you look there now, you will find a skull and bone picture plus his other jargons all over the place. I want to chronicle my fight to restore back my website here on NL.

The worst part of this affair was that I was 10 minutes to leaving for work when I found out. I promptly contacted my hosting company: Bluehost.com but they kept telling me to download my last backup, clean it and re-upload - all by myself. How on earth am I supposed to do this? What if I am not tech oriented? No matter what I said, the support guy at bluehost repeated the same thing. In frustration, I told him we will talk later, I just had to leave for work.

My website has remained defaced all day long. I cant repair the damage from work. Such antics are not allowed from the office PC. Moreover it will take too much time. Cant risk that. I have read up on all the attack routine I will adopt over the weekend. I'll keep ya'll posted.

My website is built on Drupal 6. I blame myself mostly for this catastrophe because I had not updated to the latest secure version despite getting the warning several times. I think this hacker exploited some of the security loopholes in the vulnerable version of drupal I was using. There is a sugestions he may also have entered via another hosted site on the shared server my account is hosted. In this case, Bluehost will be blamed. But I know they will never own up to that.

My accounts host 3 drupal sites and 3 wordpress sites. All the wordpress sites are ok. All the drupal sites are down. I have learnt my lesson and I want ya'll to do same. Always update your CMS with the latest security updates.

Anyway, its 16.30pm now. I will be home soon to launch a counter attack. I dont know what extent this criminal has damaged my files but I have a recent backup. Hopefully I will recover.

I have made a screen capture of the hack. For those not bold enough to check out my site, I will upload the screen photo here later.

I will like to read ur success

I have downloaded a backup I made last night. It happened that the compromise had happened before I made the backup. It was useless. The situation looks really bad now. This cyber criminal has done a great deal of damage already. Bluehost tech support have been very helpful though.

I have made a local copy of the latest version of drupal 6. Right now a restoration is ungoing from a system backup done around 7 days ago. I have realised I will loose a few posts. Nothing that I cant put back in 2 days.

I intend installing the secure version of drupal immediately the restore is over. Hopefully my site will be up by morning.

Site still down!. A restored backup did not solve the problem. I found to my dismay that the webhost had not backed up my files properly. Another, and an earlier backup is being done now.

The last resort would be to reinstall drupal and start putting back stuff manually from my last corrupt backup files. This is something I was dreading. It will keep me indoors all through the weekend. hate that.

Sorry.

Its been tough. Its increasingly becoming clear that I have to manually do stuff. Luckily the database was left untouched. It appears I have to manually upload everything after resetting the account. Painful.

The hosting company has not been very helpful. Thay had no backup of my account. They claimed to have restored my files from 2 different sys backups. Nothing changed.

I am going to manually delete files and reupload from my computer now. Horrible weekend this is. I just had to delve into the anatomy of the drupal database to find my posts. Thay are there still.

I think the hacker may have installed a script somewhere that destroys the files once they get restored

How does one hack into a website. I would love to hack nairaland to pieces and leave an even uglier message and a bigger skull
Thanks

binhozie:

How does one hack into a website. I would love to hack nairaland to pieces and leave an even uglier message and a bigger skull
Thanks

This must be funny. Anyway, i guess you wanted to add a humor amisdt the thick seriousness here

@poster,
you may want to apply some features i like to apply to most of my works.

most of these attacks come from SQL injection and remote file inclusion.
these seems to b the 2 main methods employed these days, though there are others methods. those methods tend to rip users and not take over sites
for sql injection issues, at the beginning of your code, check the url GETs or POSTs to see if it has been tampered with
then fopen ur .htaccess file and append "deny ip address" and same time, thats d logic, u can prepare the code
it will help also if you tell the user that you have restricted his ip address and also resolving his IP to his ISP and showwing him

even if he is on proxy, he will want to stop cos he knew u could take things serious and go fetching his real ip from the proxy company

if you run a VPS or dedicated server, try setting up a python script that reads the number of files in ur site directories
if u are bothered about wasting server resources, try reading the public_html directory for any changes in the number of files there
setup the script to run at system reboot, in ur code, u may watch for the exit of the python script and restart it, that ensures the script will always run for life.

u may wonder why read only that directory, the reason is because there is a 90% chance that in the process of trying to take over ur site, he moved a file there and ur python process shud catch it reset permission to that file, ban the user ip and email you.

web security these days has gone beyond puttin things right,
it is about taking extreme measures to not let some jobless dudes spoil ur fun.

i have this site i developed long time ago, and i get emails on a weekly basis notifying me of hack attempt.
though i no longer have access to the site, am glad i took that measure, else the guy would have called me by now

-Webdezzi

I think most likely an sql injection was responsible for this drama. Only now do I remember that I had allowed registered users the use of full html in creating text entries. It was an error but I suspect this could have been a vulnerability. Users should only be allowed plain text or limited html tags usage.

Another source could have been any of the modules/ plugins I installed. What puzzled me was that 3 different sites were affected simultheneously. Until someone identifies and reports a vulnerability. Some modules could remain a backdoor through which criminal hackers destroy a site.

I could also be that the attack was launched from any of the sites in the shared host am on. Am not going to blame Bluehost entirely but I did not get all the help I needed during this crises. Thier backup is completely useless.

I have completely reset my account. I am currently uploading stuff from my local backup. Should be ok by tommorrow. I have learnt my lesson.

I keep wondering what motivates someone to delibrately destroy someone else's work like this. I mean I could be depending on this for a living. Its not as if this hacker is getting any money out of this. Its just some devilish pleasure and bragging rights in some secret hacker's conclave.

I am now using the latest/ stable version of drupal 6. I will never ignore those security/update warnings again.

Goodluck.

Pls is this similar to what happened to naijazone.net because I haven't seen hair or hide of that site for some weeks now .

;d ;d ;d ;d ;d

Did the hacker leave an email address? 

You might have to contact him if he did. Sorry about what happened


Can you take your website offline temporarily, at least until you know you've fixed things?

You are not the first guy DZ-Z3RO has hacked. Hes quite famous over the internet, and I think he's algerian or so.
I ran a quick google search, hes almost everywhere.
Anyways just focus on damage control, and tighten up your security.
Cheers bro!

Albato:

I think most likely an sql injection was responsible for this drama. Only now do I remember that I had allowed registered users the use of full html in creating text entries. It was an error but I suspect this could have been a vulnerability. Users should only be allowed plain text or limited html tags usage.

Another source could have been any of the modules/ plugins I installed.  What puzzled me was that 3 different sites were affected simultheneously. Until someone identifies and reports a vulnerability. Some modules could remain a backdoor through which criminal hackers destroy a site.

I could also be that the attack was launched from any of the sites in the shared host am on. Am not going to blame Bluehost entirely but I did not get all the help I needed during this crises. Thier backup is completely useless.

I have completely reset my account. I am currently uploading stuff from my local backup. Should be ok by tommorrow. I have learnt my lesson.

I keep wondering what motivates someone to delibrately destroy someone else's work like this. I mean I could be depending on this for a living. Its not as if this hacker is getting any money out of this. Its just some devilish pleasure and bragging rights in some secret hacker's conclave.

I am now using the latest/ stable version of drupal 6. I will never ignore those security/update warnings again.

Opensource gives opportunity to learn how stuff works then vulnerabilities are found and exploited and posted. Script kids like the namma DZ-ZERO go out and look for a good testing ground. Sadly your site was a good ground to test his newly found toys.

With opensource a cracker has a mapped out plan since he knows just how it was done.
With closed source, the cracker only has a purpose and has to permute and combine different plans until one works. . .if it ever works and if he doesn't get exasperated.

Lets be careful with opensource, we are not the only ones who see the codes. While we read the codes from top to bottom, some crackheads are reading it from bottom to top.

tigerpaws:

Did the hacker leave an email address? 

You might have to contact him if he did. Sorry about what happened

Crackers are not scammers. They don't leave breadcrumbs just anyhow on the table.
There has to be something in bluehost's firewall logs or access logs to pin an IP address to the crime.

@Dualcore, you said it right, "crackheads" . The hacker prolly lives with his mum in the basement, has no social life and only reads code, lol, na dem go kolo carry gun shoot pesin
wey we go see am on CNN, lol

Just move on and learn from your lapses to be prepared for future occurrence.

lol,

Thanks everyone. I cant believe I made NL front page. I have to be honest, I've had a horrible weekend. I fell asleep yesterday uploading the backed up files. I just discovered its daylight now. Thats how hard I have been at work to recover from this DZ Z3RO hoodloom's pranks. I should be live today at least. I summary:

--- The hack happened because of a security vulnerability. No one is sure from where but these are possible sources.:--
I allowed the use of full HTML tags for registered users. This is a stupid move - it was not deliberate sha. One should never allow Full HTML or PHP. If you notice on NL here, you are allowed limited use of HTML. Only certain tags are allowed.

--- The attack could have come via another hosted site in the shared server. Until you are on your own dedicated server, this is something that can happen.

--- It could have been an sql injection attack. :  This is a sad reality as long as you are using contributed modules/ plugins that you did not write yourself. According to one person here, these hackers read the codes from down to up just to find and exploit vulnerabilities. Their motivation, a sick passion for destruction and a fake sense of power which they can never have in real live because of their antisocial lives.

---- Always make your own backups. Only now did Bluehost tell me their backup should not be relied upon. In other words, your site's safety is your responsibility. A backup at least every 2 days will not be too bad from now on. And again, keep a local copy on your computer. These hackers also compromise any backups they find within the vicinity of the attacked site.

--- Use the latest version of your CMS. They are always security tested and unlikely to have security holes. Otherwise, if you are good with coding, then build your own security systems.

tigerpaws:

Did the hacker leave an email address?  

You might have to contact him if he did. Sorry about what happened

Can you take your website offline temporarily, at least until you know you've fixed things?

Dual Core:


Crackers are not scammers. They don't leave breadcrumbs just anyhow on the table.
There has to be something in bluehost's firewall logs or access logs to pin an IP address to the crime.

I know     


A few hackers leave their email address on Hacked site; I know because I have seen it happen 

tigerpaws:

I know     


A few hackers leave their email address on Hacked site; I know because I have seen it happen 

Your sig is very funny and why are you hunting for promisee? The last time i checked his customers were in support of him.

tigerpaws:

A few hackers leave their email address on Hacked site; I know because I have seen it happen 

Those are not crackers, those are n00bs.

Pharoh:

Your sig is very funny and why are you hunting for promisee? The last time i checked his customers were in support of him.

Everything about her profile is scary that's why I'm talking to her a safe distance away from her claws.

Dual Core:

Everything about her profile is scary that's why I'm talking to her a safe distance away from her claws.

That is a very wise decisions and i will be following that as well from now on lol and not forgetting her user name.

There is a thread created for fighting cyber crimes in nigeria , so please you guys who are the experts should please come and join the others.

https://www.nairaland.com/nigeria/topic-436778.0.html

I want 2 post into d propertise list.pls can u help me out?

Jesus Christ, Have gone to pick up a book on security now, Who know's who is next, maybe DualCore

@OP
Did you report this at the Drupal official website ? They probably would have found you a fix.  I know people who are still running Drupal 4 without problems.

Did you check that you did not unknowingly permit users to use PHP code in posts ?

In any case PHP & MySQL was designed so that it won't be penetrated by the old SQL injection. In MySQL, when un-escaped values are passed, or if there are any incorrect syntax, it won't just process the request(sql command) and won't return any information about the database structure - so this won't give hackers any idea of how you designed your database.

In case of any error, this is handled by the mysql_error() function which is not shown by default and it's only up to the programmer to display it or not. And again, mysql_error() won't give any information about your database structure, it only shows a certain part where error occurred and an enough idea where a fix to the latter mistake should takes place.

From what I know about the culprit DZ-Z3R0 , what he/she does is compromise your database and make automated posting/spamming possible. He/she is more likely to work on blogging sites or article directory sites.

If hackers can hack computer systems like the US IRS and the US Marine Corps, I think that it's a little paranoid to worry about these people.

JUST LEARNING THINGS NW.

HABA

Just do like this that's all

Donpuzo:

Who know's who is next, maybe DualCore

Client sites on my server? well yea it will be due to their errors.
But my server itself? LOL the cracker should dream on. I don't stay online 22 hrs a day for nothing

I have noticed though, whenever I set up a new server crackers try to get in. I see a lot of attacks being blocked and I just sit with coffee while I watch them try. Funny I see attacks trying to get in from some Nigerian connections.

lol, Then u gasta inform your clients on some security measures na, Ejor ohhh me'ife loose site e' mi,

So Nigerians dey wicked too, I regularly get this mail, with some obvious SQL crack tricks of using Hypertext to get somefin, But some how, it does not work out for them,

Although my site security skill is not 100%, and i no dey stay online 22 hours

Sorry what do u do with the other 2 hours, don't tell me sleep?