The other 2 hours are spent doing other things like. . . being on the phone, spending some quality time getting frustrated over a bug or Nigeria's crappy internet connections, going to pee, laying on the bed wondering what a swell life I woulda had without computers.


The Nigerian attacks I see come from MTN IPs most times. That's why MTN's internet service is just cursed.

I finally got the site up again. I have worked all through the weekend. I have re-loaded up to 80% of my old posts. Its been gruelling task. I lost some of the functionalities on the site but I will bring these back as time goes on.

- Am now using the lasted version of Drupal 6.
- I updated all modules to the latest and secure versions.
- I have also disabled all HTML for users.
- I have disabled user registration for now until I sort things out.

Hope fully this hacker will stay out of my way.

Thanks everyone for your concern.

Albato:

Hope fully this hacker will stay out of my way.

Hopefully he is not seeing your last post about your work in progress

Dual Core:

Hopefully he is not seeing your last post about your work in progress 

Honestly I have this paranoid feeling he is watching and having a laugh.

When you're done and you are armed to the teeth, put this on the site. "This site cannot be defaced by Z3RO! Shame to the poor little bastardo in the basement. Algerian cracker kids suck as much donkey balls as Algerian footballers" 


Either of two things may happen. He either tears your site to pieces (i dont think he can, drupal aint stupid) or he slams his monitor against the wall and starts crying in frustration.

Your site was deface

tigerpaws:

Did the hacker leave an email address? You might have to contact him if he did.

I have heard of some hackers defacing a site and then demanding a ransom in order to free the site. These ones leave a contact. Of course you cannot trace them easily. The obviously route everything through some captured bot computer ip.

Looking at the photo of the hack, there are some jargon on there that I think resemble how he accomplished his act or contact details

Oh yes I did try to find him on the net because I wanted to avoid the gruelling work of reactivating my site manually (which I had to do in the end). He was untraceable. The only details I found led to hacker forums. I found this guy has wrecked many dreams. On one site they actually had a scoreboard of who has defaced the most websites. Its appaling this guys get a kick from ruining people's livelihood and dreams.

I lost 6 sites in this attack. My wordpress sites were ok but the support staff at bluehost told me he could have left a hidden script somewhere. I therefore reset the account to zero. The next 1 month will be for rebuilding again.

Albato:

I have heard of some hackers defacing a site and then demanding a ransom in order to free the site. These ones leave a contact. Of course you cannot trace them easily. The obviously route everything through some captured bot computer ip.

Looking at the photo of the hack, there are some jargon on there that I think resemble how he accomplished his act or contact details

Oh yes I did try to find him on the net because I wanted to avoid the gruelling work of reactivating my site manually (which I had to do in the end). He was untraceable. The only details I found led to hacker forums. I found this guy has wrecked many dreams. On one site they actually had a scoreboard of who has defaced the most websites. Its appaling this guys get a kick from ruining people's livelihood and dreams.

I lost 6 sites in this attack. My wordpress sites were ok but the support staff at bluehost told me he could have left a hidden script somewhere. I therefore reset the account to zero. The next 1 month will be for rebuilding again.

I don't completely doubt the veracity of your story but a few things baffle me :
1. Why would a determined hacker attack a Drupal 6 site and leave Wordpress sites alone considering that Wordpress scripts are notoriously more vulnerable to attack by spammers?. He must really like a hard life.
2. DoS attacks do not work this way at all. Your screenshot only reveals server info and  well . . . nothing else.
3. If Bluehost cannot tell you for certain if he/she had "left a hidden script somewhere", there is something wrong with their service and I suggest you buy from a different hosting company.

e-monkey:

1. Why would a determined hacker attack a Drupal 6 site and leave Wordpress sites alone considering that Wordpress scripts are notoriously more vulnerable to attack by spammers?.

An attack focused on a single CMS is very common. In this case, I was running a non secure version of drupal 6. Whatever scripts he must have run targeted just this CMS. No CMS is free of vulnerability as long as its open source. Again, contributed modules/plugins may be unsecure.

e-monkey:

2. DoS attacks do not work this way at all. Your screenshot only reveals server info and well . . . nothing else.

This was not a Denial of Service (DOS) attack. He basically "defaced" the site. He replaced my website's executable files with his. I have been reading up on this form of attack. All finger's seem to point at the hosts themselves. A weak host security may have led to this fracas. I know Bluehost will never own up to it but I think I may not be the only one whose site was attacked.

e-monkey:

3. If Bluehost cannot tell you for certain if he/she had "left a hidden script somewhere", there is something wrong with their service and I suggest you buy from a different hosting company.

I actually left another host for bluehost around one year ago when I lost my sites because a support staff overwrote them with an old backup. No host is safe from these hackers. Afterall Pentagon, Twitter have all be hacked before.

Bluehost have been ok but this issue opened my eyes to a lot. They claim they perfom a sys backup every now and then. When this backup was restored during this crises, it emmerged that nothing was stored for my websites. They now pointed me to some legal stuff about how customers had been told not to rely on these backups. "When wahala come, dem begin quote law". I have realised in a hard way that backing up is my resposibility. I have started saving for a robust external hard drive.

Another important safeguard is to change all passwords: ftp, cpanel, website etc. This should be done regularly. Especially after an attack. Sometimes hackers gains access to a server via your personal computer. Cookies on your PC have login records - including your ftp password. A smart hacker can access these from remote location, log in and wreck havoc.

Passwords are stored in cookies when you click the "remember me" check box common on login screens. A hacker could be waiting next time you want to click that "remember me" box

I have a question. Can a cracker pose as a good guy and share his extensions and plugins (that are malicious) to the open CMS community? Is there anything like QA/QC on modules?

I am coming out of a self-imposed exile only to address a particular issue which I think has been misconstrued here, so that we all know that there is more than one option and we can all learn from one another, though one may be disadvantageous over the other.

Yes they can. This is why if you note, the drupal, joomla, etc website give a disclaimer stating that you should be wary of any plug in, free or commercial, posted on their site. They are not responsible for any damage caused to your system/app. The only trusted ones are the ones that come directly from the authors of such CMS tools.

Bottomline: *Always* upgrade your version of CMS with the latest security patches. The authors don't come up with these patches for nothing.

Albato:

. . .

Another important safeguard is to change all passwords: ftp, cpanel, website etc. This should be done regularly. Especially after an attack. Sometimes hackers gains access to a server via your personal computer. Cookies on your PC have login records - including your ftp password. A smart hacker can access these from remote location, log in and wreck havoc.

Passwords are stored in cookies when you click the "remember me" check box common on login screens. A hacker could be waiting next time you want to click that "remember me" box  

Now that's getting extremely paranoid  

Dual Core:

I have a question. Can a cracker pose as a good guy and share his extensions and plugins (that are malicious) to the open CMS community? Is there anything like QA/QC on modules?

I have worked with Drupal for 5 years and as far as I know, you need to have "inside help" to get bad code on the official web site as downloads. Modules are double tested and double hacked by geniuses before they are accepted. Even something as harmless as documentation goes through the same QA/QC treatment. That is one of reasons why even the White House website runs on Drupal.  No sir, very little chance of a good or bad guy being that lucky. At least not someone who is so insane as to go hacking through someone else's pc firewall just to get login details for their server and then selectively trash websites.

Dual Core:
I have a question. Can a cracker pose as a good guy and share his extensions and plugins (that are malicious) to the open CMS community?

Absolutely YES !!!

Conspiracy theorists claim the big software firms do that. Its claimed they have secret key combinations that allow them bypass any security built into their own software. Games developers commonly used this trick to install stealth programs, spyware etc. Beware of all those free games on the net. They do contain spyware.

I remember this secret game that used to be on the "About" page of microsoft office (word or excel). I've forgotten the key combination we used to bring it up but it was a game where you walked along a wall top using the arrow keys. I think it was called "hall of lost souls". Something like that. Did anyone see it?. I mean why does microsoft office have a hidden game on the "About" page? What other secret plugins are there? How would you have known a game was there?

Dual Core:
Is there anything like QA/QC on modules?

Of course there is quality assurance. Before a module is released finally, it has to go through alpha, beta etc testing. CMS like drupal clearly indicate what stage a module is at. Using an alpha or beta stage module is at your own risk.

Even approved modules do contain vulnerabilities. Once found, the maintainers create a "patch" to tackle it. Its your responsibility as a site owner to download and intall these "improved" security updates.

Built into most CMS too (including drupal) is a utility that highlights modules that currently have a newer version or security update. Its left for website owners to install them - if you like.

@e-monkey:
I thinks its only natural to change all passwords after a hacker attack. Again, disabling cookies is a well known security measure. Stealth programmes have been known to use cookies to devastating effect. I guess am a bit paranoid after what happened. Would you not be after loosing 6 sites in one weekend

Actually this post would have looked less contrived if the poster had used a screen capture which shows the browser rather than any old picture which could have been gotten from anywhere. As it is this is how the whole business looks :

Poster : Yee! everybody come look my site ; somebody don spoil am. Yeeparipa!

Everybody : Make we go look the mugu site. Him own don spoil

(people like bad news. So the site gets a massive 3000 extra  hits in a couple of days without a penny spent on advertisement )

I must also use this method when I finally get my dream site up and running 

Me : Everybody my friend him own don spoil too o !! Come look am http://www.yorubaland.org

Dis Nairaland don tire me sef. Na so so rumour dry full front page.

felifeli:

Actually this post would have looked less contrived if the poster had used a screen capture which shows the browser rather than any old picture which could have been gotten from anywhere. As it is this is how the whole business looks :

Poster : Yee! everybody come look my site ; somebody don spoil am. Yeeparipa!

Everybody : Make we go look the mugu site. Him own don spoil

(people like bad news. So the site gets a massive 3000 extra  hits in a couple of days without a penny spent on advertisement )

I must also use this method when I finally get my dream site up and running 

Me : Everybody my friend him own don spoil too o !! Come look am http://www.yorubaland.org

Dis Nairaland don tire me sef. Na so so rumour dry full front page.

Dude if you have nothing better to say, stop mimicking him ok. I don't know about site hacking because I don't have one, but I can tell you I almost got fired from my job this year sometimes in Feb/Mar because someone, someplace from NL tried to pull a fast one on me. I'm no computer expert, but when OCIO called my boss, reporting an unusual activity after which my network security access was denied, then I knew what was going on. Now I no longer access NL or any other Nigerian site from work, besides it's denied anyways, OCIO blocked all those sites.

These guy will not rest.

felifeli:
Actually this post would have looked less contrived if the poster had used a screen capture which shows the browser rather than any old picture which could have been gotten from anywhere.

You would not have made this pathetic insinuation if you first read through the posts from the begining. Nairaland on their own decided this post needed to be on the front page - hence the large number of hits. I cant apologise for that. Again, read through my postings and see if they sound genuinely distressed or not.

Did you try to access the site on the day I posted the first message? Were you even here then? The site was there for the world to see. It remained defaced for at least 2 days while I battled to bring things back to normal. Long enough to proof I did not jut lift the picture from anywhere. Search for DZ Z3R0 on the internet to see if he actually exist.

felifeli:
(people like bad news. So the site gets a massive 3000 extra hits in a couple of days without a penny spent on advertisement )

You cant blame me for this. I will not apologise either. NL decided my post was good enough to grace the home page. Moreover, this conversation has been quite enlightening as there are a lot of useful tips in it.

Enough said. Thanks to everyone who made a meaningful contribution to this conversation. That kept me going and offered a challenge to restore what was spoilt. Most of all thanks to NL for offering us this beautiful platform for interaction.

@poster
I said this is how it "looks" not this is how it is. Grammar. No need to be defensive, if it works for you then good luck.

^^ just leave the thread in peace.

^^^
Actually I also thought the story didn't quite compute . It should be a no-brainer for a server administrator to locate a rogue script and isolate it, but if Dualcore is not complaining who am I ? i sent the link for this thread to the hosting company though so that they can improve on their security especially since they have Drupal on install through Fantastico. Let's be our brothers helpers. I could have advised move to 1and1, but for this kind of problem they will permanently disable your site until you tell them how you plan to solve the problem.   The other bit about Drupal was a hoot however. 3 Drupal sites in one fell swoop !! Were you running on a multi-domain or multi-site install dude ?

Just stumbled on this thread and did a bkgrd check,

Albato, seems u ve Vulnerabilities of your own buh this 'hack' was a Server own,

Saw the defacement and went str8 to where other fame-seeking hax0rs/Kiddies/n00bs get to show off, and that took me to http://www.zone-h.com/ . Did a check on the character 'Dz-z3r0' and came up wv http://www.zone-h.com/archive/notifier=DZ-Z3R0 . The dude's had a fair share of hacks/defacement to his name totaling 1249(thats quite huge!) ,

www.technuzu.com is hosted on 66.147.242.199 amidst other 388 domains, Looking at other websites defaced on the same day 2010/06/25 by  DZ-Z3R0 shows

http://www.zone-h.com/archive/ip=66.147.242.199

www.onlinecashwatch.com
www.technuzu.com
www.wanjaka.com
www.osikapa.com
www.bestsellingvacuumcleaners.com
www.fotomumu.com

A reverse ip check on each shows they are being hosted by Bluehost Inc. running OS 'Linux' and Webserver 'Apache/2.2.15 CentOS mod_ssl/2.2.15 0.9.8l DAV/2 mod_auth_passthrough/2.1 FrontPage/5.0.2.2635' .

Now one of the 6 above listed domains IS VULN,

So this is more of a shell being uploaded to one of 'em giving r00t access to the rest.

Now to ur 'What Steps to take to avoid being hacked', U can add 'Get ur domain off that shared server' as that narrows the risk.

And i read someone say 'Did he leave an email addy?', well here it is (doubt if anything good will come out of U mailing him)

http://www.zone-h.com/mirror/id/11285605

DZ.Z3R0 [AT] GMAIL [DOT] COM
DZ.Z3R0 [AT] YAHOO [DOT] COM
DZ-Z3R0 [AT] HOTMAIL [DOT] FR
Pseudonyme de Skype: DZ-Z3R0

chineke see all this cyber wizkids i nor even fit reset a password and the hecks a dualcore?

nice one

Woo...!!! I never knew nairaland was this great all along. Bundled and packed with talented and intelligent nigerians. Been wasting my time on facebook and 2go all this while...Dem.! OMG