Yeap I got defaced

by Jeremy Schoemaker on October 12, 2006 · 42 comments

inbetween 7am and 10am this morning the website looked like this:

shoemoney defaced

As soon as I saw it had been defaced I took the server off line (about 10am). Imaged it then had the drive reimaged with a fresh clean OS. Then I started to restore from tape backup. While restoring I went through the old logs and figured out the person got in from a phpbb2 exploit. Basically they were able to exectute code on the server as the webserver user and this also means they were able to delete files and replace files owned by the webserver user…

Now why would I run phpbb2 ? well… I was hosting for a friend =(. Its probably a good thing this happened cause I also realized I was hosting about 80 other sites for free that were for family and friends but I am responsible for keeping them updated (which of course i lapsed) so ok everyone off!

shoemoney defaced
I REALLY want to thank all the readers and friends out there who put out the ShoeSignal to notify me that my site had been defaced. I had been up all night working on some stuff and did not notice it until someone called my home number.

I had 52 emails, 16 voice mails, 13 SMS text messages from friends telling me my site had been defaced. Thank you ;)

full disclosure

About the author...

– who has written 2895 posts on ShoeMoney.com.

Jeremy "ShoeMoney" Schoemaker is the founder & CEO of the ShoeMoney Blog, Elite Retreat Internet Conference, & the PAR Program. In 2013 Jeremy released his #1 Amazon Best selling Autobiography titled "Nothing's Changed But My Change" - The ShoeMoney Story. Jeremy currently lives in Lincoln Nebraska with his wife and 2 daughters.


Michelle recommends you check out these amazing posts:

  1. Failure-Poster I Am a Failure
  2. work-in-progress Progress and Completion
  3. 300px-Boschsevendeadlysins Seven Deadly Sins For People Trying to Make Money Online

{ 35 comments }

1 SEOidiot

Glad to see your back – at least it was an attack that could be prevented for next time

2 RSnake

Sucks. It happens to almost everyone at some point. Just make sure they didn’t leave anything in cron. If you didn’t completely delete the drive and start over from a restored copy there’s no way to know if you’ve gotten rid of them for sure. Thankfully most rootkits these days are easy to find and destroy, but there are a few that are far less so.

3 Aaron Shear

What a bummer, these guys should be shot!

4 brad

Glad you got your blog back up man! I was really bummin’ when your domain kept timing out.

5 Nils

yea sure, hackers should be shot.. dumbass

6 dillsmack

“Imaged it then had the drive reimaged with a fresh clean OS.�

We don’t mess around with hacked servers.

7 Aaron Shear

Ewww I hit a nerve! ;-)

I take defacing of sites seriously, in my opinion it’s just as bad as keying or spray painting someone’s car out of Jealousy. But I guess your one of those poor guys who drives around in a beat-up civic desperate for attention.

8 Dave

Happens to the best of us mate. Lesson learned. Good job on getting back on your feet so quick.

9 Mike Seiler

This is why I like to make my sites look like they were designed by a retarded monkey. That way, if someone defaces it, either no one will notice–or they’ll think I came up with a better redesign. ;)

10 Nils

So if you spray paint someone’s car you should be shot too?
I didn’t demand to shoot hackers and post my URL so who’s desperate for attention?
And nah, you didn’t really hit a nerve, I just thought it was a pretty stupid thing to say.
I drive a VW btw.

11 Tracy

I just thought, hey, Shoe finally tried the Red on black motif, but couldn’t figure out what the writing said or why he suddenly had hair. Figured maybe it was some kind of radical rogaine ad that Shoe was doing in Turkey before he unleashed it to the states.

12 Eolai

I got the word from DaveN’s posting. Nicely communicated.

13 Mike

Glad to see you back, Shoemeister. Glad to have you online again.

What are your plans to prevent this happening again? I mean, apart from ditching the 80 sites ;) ?

14 mascix

it was nothing serious they like to tell all world french making mistakes sometime :D

and I think they choosed this site because this one has good hit

Regards

15 Chis

Damn I missed it! I saw at work today my live bookmarks were down for your site, but didn’t try the URL until you had it down.

Well I suppse, as long as long as everything is back to normal, it’ll be a nice bit of link bait fr you ;)

16 arthur

welcome back!

17 alek

You got some good backups Shoe – doesn’t appear you missed a post from the time between your last backup and the hack.

BTW, are you really using tapes … or complimenting with some near-line backup to another server/disk?

18 Abhishek Tripathi

Wow barely 2 days after I wrote about the Yahoo Hijacker Trojan that this crap happens.

I was looking at the malicious script that the skiddie placed onto your site to infect other people and apparently, it redirected them to another site after 10 seconds and from there to an html page that tried downloading a Java archive onto the users computer. Now here comes the pain, I suck at Java and so it’s all Greek to me. (I suck at Greek too). I have forwarded it to a friend and when i get to hear from him, I’ll blog about this in detail. :)

The codes on this html page that called the Java archive, when Googled, rendered results and were mentioned on quite a few page. The attacker, Iskorptix a.k.a Jduke aka Mr. Kadir Basol is an old Turkish Hacker (Or so it appeared from his Pic that I got). He has a dedicated fan page and a dedicated hate page. He was involved with a trojan that he code which was called the “Kadir Basol Devastator” . Attention Seeker …lol

Anyways good to have you back … Cheers!

Abhishek

19 GeorgeB

Getting hacked is gay…. :(

20 Can

Welcome back
I am a Turkish also whom read shoemoney via rss,and at DP.You must know that i am against all this hacking stuff not important who or why did but also trying to understand why he chose your site, are you French oriented or sympathizer.

I was read an interview about him on a famous local newspaper before and learnt that he is not a sctipt kiddie who hack one website but he has some world record like hacking thousand websites in an hour.I follow the article at threadwatch and saw he had hacked 21,548 websites yesterday beside yours.
He left a note in French cause there was a non democratic voting on French senate about Armanians and Turks which make France not a freedom Country and makes Turks barbarian.

At last one more time im saying for make it clear im against all hackers, hacking stuff and dont care politics

Have a nice day all

21 Kn10

Photo Gallery seems to be down still?

22 Hsufeng

What do you recommend for image and tape backup? Is it easy?

23 kemal

it’s very interesting. i am also Turk that interests with internet marketing. When i saw shoemoney.com yesterday, i was very suprised. But, i can’t understand why he chose your site, because u r a good american :)
I don’t like France, Frenchs and the decision of them yesterday, neither. i also won’t buy any French goods. But, i find hacked of shoemoney.com yesterday was very silly for a critism

24 sandossu

sorry to see that, this kind of hackers suck big time and phpbb sucks more

25 Aaron Shear

I know where you stand; we are allowed to have a difference of opinion. You and I have different opinions, yes when people spray paint cars, usually it’s to gain attention and they “TAG” it with their call sign. Just the same as tagging a wall.

Your points just went way up with me with the VW thing. ;-) Since I am big into the VW/AUDI/PORSCHE racing circuit.

26 Jonathan

Feels like we’re back in grade school now… “oh, sweet, I can hack that site!!!!!111″ Honestly, grow some balls, this is not web 1.0 anymore.

27 Computer Repair Lincoln Nebraska

Glad to see all is well again in shoemoney land. If it is not being too nosy, can you give an idea of what the defacement cost you? Hundreds, thousands, etc…?

28 ShoeMoney

cost me nothing. this server doesnt have much on it but my blog and a few other sites that I am playing around with.

To be honest its probably a really good thing that it happened. I had about 80 or so sites on this box that were totally abandoned or I wanted to dump anyway. This just gave me a kick in the pants in that department

29 Fredto

The only funny part about that is the hacker himself.

His French sucks so much, my eyes still bleeds ;p

Glad to have ye back, Shoe.

30 john

which version of PHPBB2 were you using? The reason I ask is because I too have a PHPBB2 and want to avoid going through when you went through. Is there a fix out there?

Glad to see you are back!

31 wesley

was it the latest version of phpbb you had? Are there exploits out there that aren’t yet fixed by phpbb team?

32 Zeeshan

This type of attack could have been contained to only that specific Web site (your friends’) if PHP was executed in such a fashion that it had to adhere to a non-Apache user and group.

Often people run PHP via mod_php and therefore scripts inherit the UID/GUID of Apache, which is very unsafe, causing one script to be faulty and have all of the remaining sites get affected or have their private contents easily read (say database login information in a PHP configuration script).

You can apply a patch to suexec to execute the PHP under CGI mode to get back security, or if you wish to get security and performance, use FastCGI, which exceeds the performance of mod_php while giving back application safety.

View http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html for more information. Lighttpd, an alternative to Apache, has native support to run PHP via FastCGI and can be found at http://www.lighttpd.net/ .

Good luck.

33 Richard Overvold

Man, I heard he showed a defaced site to get attention. This true Shoe? ;)

34 Mike Mothner

I guess looking at it positively, it’s an honor to be worth defacing!

35 coop

dam… i didnt know there was that big of a vulnerability in phpbb

Previous post:

Next post: