inbetween 7am and 10am this morning the website looked like this:
As soon as I saw it had been defaced I took the server off line (about 10am). Imaged it then had the drive reimaged with a fresh clean OS. Then I started to restore from tape backup. While restoring I went through the old logs and figured out the person got in from a phpbb2 exploit. Basically they were able to exectute code on the server as the webserver user and this also means they were able to delete files and replace files owned by the webserver user…
Now why would I run phpbb2 ? well… I was hosting for a friend =(. Its probably a good thing this happened cause I also realized I was hosting about 80 other sites for free that were for family and friends but I am responsible for keeping them updated (which of course i lapsed) so ok everyone off!
I REALLY want to thank all the readers and friends out there who put out the ShoeSignal to notify me that my site had been defaced. I had been up all night working on some stuff and did not notice it until someone called my home number.
I had 52 emails, 16 voice mails, 13 SMS text messages from friends telling me my site had been defaced. Thank you 
About the author...
Jeremy Schoemaker – who has written 2472 posts on ShoeMoney.com.
Hi I am Jeremy Schoemaker and ShoeMoney.com is my blog. 99% of the post here are done by me but you will see others occasionally make guest posts. This blog is fun to write but for my day job I run several online companies.
Images provided by bigstock
Perception is Everything (or “Fake It ‘Til You Make It”) 
I used to be FAT until I had A Duodenal Switch 
Are You Scared Shitless? 
{ 35 comments… read them below or add one }
Glad to see your back – at least it was an attack that could be prevented for next time
Sucks. It happens to almost everyone at some point. Just make sure they didn’t leave anything in cron. If you didn’t completely delete the drive and start over from a restored copy there’s no way to know if you’ve gotten rid of them for sure. Thankfully most rootkits these days are easy to find and destroy, but there are a few that are far less so.
What a bummer, these guys should be shot!
Glad you got your blog back up man! I was really bummin’ when your domain kept timing out.
yea sure, hackers should be shot.. dumbass
“Imaged it then had the drive reimaged with a fresh clean OS.�
We don’t mess around with hacked servers.
Ewww I hit a nerve!
I take defacing of sites seriously, in my opinion it’s just as bad as keying or spray painting someone’s car out of Jealousy. But I guess your one of those poor guys who drives around in a beat-up civic desperate for attention.
Happens to the best of us mate. Lesson learned. Good job on getting back on your feet so quick.
This is why I like to make my sites look like they were designed by a retarded monkey. That way, if someone defaces it, either no one will notice–or they’ll think I came up with a better redesign.
So if you spray paint someone’s car you should be shot too?
I didn’t demand to shoot hackers and post my URL so who’s desperate for attention?
And nah, you didn’t really hit a nerve, I just thought it was a pretty stupid thing to say.
I drive a VW btw.
I just thought, hey, Shoe finally tried the Red on black motif, but couldn’t figure out what the writing said or why he suddenly had hair. Figured maybe it was some kind of radical rogaine ad that Shoe was doing in Turkey before he unleashed it to the states.
I got the word from DaveN’s posting. Nicely communicated.
Glad to see you back, Shoemeister. Glad to have you online again.
What are your plans to prevent this happening again? I mean, apart from ditching the 80 sites
?
it was nothing serious they like to tell all world french making mistakes sometime
and I think they choosed this site because this one has good hit
Regards
Damn I missed it! I saw at work today my live bookmarks were down for your site, but didn’t try the URL until you had it down.
Well I suppse, as long as long as everything is back to normal, it’ll be a nice bit of link bait fr you
welcome back!
You got some good backups Shoe – doesn’t appear you missed a post from the time between your last backup and the hack.
BTW, are you really using tapes … or complimenting with some near-line backup to another server/disk?
Wow barely 2 days after I wrote about the Yahoo Hijacker Trojan that this crap happens.
I was looking at the malicious script that the skiddie placed onto your site to infect other people and apparently, it redirected them to another site after 10 seconds and from there to an html page that tried downloading a Java archive onto the users computer. Now here comes the pain, I suck at Java and so it’s all Greek to me. (I suck at Greek too). I have forwarded it to a friend and when i get to hear from him, I’ll blog about this in detail.
The codes on this html page that called the Java archive, when Googled, rendered results and were mentioned on quite a few page. The attacker, Iskorptix a.k.a Jduke aka Mr. Kadir Basol is an old Turkish Hacker (Or so it appeared from his Pic that I got). He has a dedicated fan page and a dedicated hate page. He was involved with a trojan that he code which was called the “Kadir Basol Devastator” . Attention Seeker …lol
Anyways good to have you back … Cheers!
Abhishek
Getting hacked is gay….
Welcome back
I am a Turkish also whom read shoemoney via rss,and at DP.You must know that i am against all this hacking stuff not important who or why did but also trying to understand why he chose your site, are you French oriented or sympathizer.
I was read an interview about him on a famous local newspaper before and learnt that he is not a sctipt kiddie who hack one website but he has some world record like hacking thousand websites in an hour.I follow the article at threadwatch and saw he had hacked 21,548 websites yesterday beside yours.
He left a note in French cause there was a non democratic voting on French senate about Armanians and Turks which make France not a freedom Country and makes Turks barbarian.
At last one more time im saying for make it clear im against all hackers, hacking stuff and dont care politics
Have a nice day all
Photo Gallery seems to be down still?
What do you recommend for image and tape backup? Is it easy?
it’s very interesting. i am also Turk that interests with internet marketing. When i saw shoemoney.com yesterday, i was very suprised. But, i can’t understand why he chose your site, because u r a good american
I don’t like France, Frenchs and the decision of them yesterday, neither. i also won’t buy any French goods. But, i find hacked of shoemoney.com yesterday was very silly for a critism
sorry to see that, this kind of hackers suck big time and phpbb sucks more
I know where you stand; we are allowed to have a difference of opinion. You and I have different opinions, yes when people spray paint cars, usually it’s to gain attention and they “TAG” it with their call sign. Just the same as tagging a wall.
Your points just went way up with me with the VW thing.
Since I am big into the VW/AUDI/PORSCHE racing circuit.
Feels like we’re back in grade school now… “oh, sweet, I can hack that site!!!!!111″ Honestly, grow some balls, this is not web 1.0 anymore.
Glad to see all is well again in shoemoney land. If it is not being too nosy, can you give an idea of what the defacement cost you? Hundreds, thousands, etc…?
cost me nothing. this server doesnt have much on it but my blog and a few other sites that I am playing around with.
To be honest its probably a really good thing that it happened. I had about 80 or so sites on this box that were totally abandoned or I wanted to dump anyway. This just gave me a kick in the pants in that department
The only funny part about that is the hacker himself.
His French sucks so much, my eyes still bleeds ;p
Glad to have ye back, Shoe.
which version of PHPBB2 were you using? The reason I ask is because I too have a PHPBB2 and want to avoid going through when you went through. Is there a fix out there?
Glad to see you are back!
was it the latest version of phpbb you had? Are there exploits out there that aren’t yet fixed by phpbb team?
This type of attack could have been contained to only that specific Web site (your friends’) if PHP was executed in such a fashion that it had to adhere to a non-Apache user and group.
Often people run PHP via mod_php and therefore scripts inherit the UID/GUID of Apache, which is very unsafe, causing one script to be faulty and have all of the remaining sites get affected or have their private contents easily read (say database login information in a PHP configuration script).
You can apply a patch to suexec to execute the PHP under CGI mode to get back security, or if you wish to get security and performance, use FastCGI, which exceeds the performance of mod_php while giving back application safety.
View http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html for more information. Lighttpd, an alternative to Apache, has native support to run PHP via FastCGI and can be found at http://www.lighttpd.net/ .
Good luck.
Man, I heard he showed a defaced site to get attention. This true Shoe?
I guess looking at it positively, it’s an honor to be worth defacing!
dam… i didnt know there was that big of a vulnerability in phpbb