Yeap I got defaced

Posted by

This is the featured advertiser on ShoeMoney. Put your company here!


inbetween 7am and 10am this morning the website looked like this:

shoemoney defaced

As soon as I saw it had been defaced I took the server off line (about 10am). Imaged it then had the drive reimaged with a fresh clean OS. Then I started to restore from tape backup. While restoring I went through the old logs and figured out the person got in from a phpbb2 exploit. Basically they were able to exectute code on the server as the webserver user and this also means they were able to delete files and replace files owned by the webserver user…

Now why would I run phpbb2 ? well… I was hosting for a friend =(. Its probably a good thing this happened cause I also realized I was hosting about 80 other sites for free that were for family and friends but I am responsible for keeping them updated (which of course i lapsed) so ok everyone off!

shoemoney defaced
I REALLY want to thank all the readers and friends out there who put out the ShoeSignal to notify me that my site had been defaced. I had been up all night working on some stuff and did not notice it until someone called my home number.

I had 52 emails, 16 voice mails, 13 SMS text messages from friends telling me my site had been defaced. Thank you ;)

42 thoughts on “Yeap I got defaced

  1. RSnake

    Sucks. It happens to almost everyone at some point. Just make sure they didn’t leave anything in cron. If you didn’t completely delete the drive and start over from a restored copy there’s no way to know if you’ve gotten rid of them for sure. Thankfully most rootkits these days are easy to find and destroy, but there are a few that are far less so.

  2. Aaron Shear

    Ewww I hit a nerve! ;-)

    I take defacing of sites seriously, in my opinion it’s just as bad as keying or spray painting someone’s car out of Jealousy. But I guess your one of those poor guys who drives around in a beat-up civic desperate for attention.

  3. Mike Seiler

    This is why I like to make my sites look like they were designed by a retarded monkey. That way, if someone defaces it, either no one will notice–or they’ll think I came up with a better redesign. ;)

  4. Nils

    So if you spray paint someone’s car you should be shot too?
    I didn’t demand to shoot hackers and post my URL so who’s desperate for attention?
    And nah, you didn’t really hit a nerve, I just thought it was a pretty stupid thing to say.
    I drive a VW btw.

  5. Pingback: Shoemoney was Hacked - JohnTP.com

  6. Tracy

    I just thought, hey, Shoe finally tried the Red on black motif, but couldn’t figure out what the writing said or why he suddenly had hair. Figured maybe it was some kind of radical rogaine ad that Shoe was doing in Turkey before he unleashed it to the states.

  7. Mike

    Glad to see you back, Shoemeister. Glad to have you online again.

    What are your plans to prevent this happening again? I mean, apart from ditching the 80 sites ;) ?

  8. Pingback: Xuru Blog » Blog Archive » Want Links? Have Your Site Hacked!

  9. mascix

    it was nothing serious they like to tell all world french making mistakes sometime :D

    and I think they choosed this site because this one has good hit

    Regards

  10. Chis

    Damn I missed it! I saw at work today my live bookmarks were down for your site, but didn’t try the URL until you had it down.

    Well I suppse, as long as long as everything is back to normal, it’ll be a nice bit of link bait fr you ;)

  11. alek

    You got some good backups Shoe – doesn’t appear you missed a post from the time between your last backup and the hack.

    BTW, are you really using tapes … or complimenting with some near-line backup to another server/disk?

  12. Abhishek Tripathi

    Wow barely 2 days after I wrote about the Yahoo Hijacker Trojan that this crap happens.

    I was looking at the malicious script that the skiddie placed onto your site to infect other people and apparently, it redirected them to another site after 10 seconds and from there to an html page that tried downloading a Java archive onto the users computer. Now here comes the pain, I suck at Java and so it’s all Greek to me. (I suck at Greek too). I have forwarded it to a friend and when i get to hear from him, I’ll blog about this in detail. :)

    The codes on this html page that called the Java archive, when Googled, rendered results and were mentioned on quite a few page. The attacker, Iskorptix a.k.a Jduke aka Mr. Kadir Basol is an old Turkish Hacker (Or so it appeared from his Pic that I got). He has a dedicated fan page and a dedicated hate page. He was involved with a trojan that he code which was called the “Kadir Basol Devastator” . Attention Seeker …lol

    Anyways good to have you back … Cheers!

    Abhishek

  13. Can

    Welcome back
    I am a Turkish also whom read shoemoney via rss,and at DP.You must know that i am against all this hacking stuff not important who or why did but also trying to understand why he chose your site, are you French oriented or sympathizer.

    I was read an interview about him on a famous local newspaper before and learnt that he is not a sctipt kiddie who hack one website but he has some world record like hacking thousand websites in an hour.I follow the article at threadwatch and saw he had hacked 21,548 websites yesterday beside yours.
    He left a note in French cause there was a non democratic voting on French senate about Armanians and Turks which make France not a freedom Country and makes Turks barbarian.

    At last one more time im saying for make it clear im against all hackers, hacking stuff and dont care politics

    Have a nice day all

  14. Pingback: A Day in the Life… » Blog Archive » Wrap-Up of Shoemoney’s Hacking

  15. kemal

    it’s very interesting. i am also Turk that interests with internet marketing. When i saw shoemoney.com yesterday, i was very suprised. But, i can’t understand why he chose your site, because u r a good american :)
    I don’t like France, Frenchs and the decision of them yesterday, neither. i also won’t buy any French goods. But, i find hacked of shoemoney.com yesterday was very silly for a critism

  16. Pingback: Shoemoney’i de hacklediler at GĂĽncelYorum.Com

  17. Aaron Shear

    I know where you stand; we are allowed to have a difference of opinion. You and I have different opinions, yes when people spray paint cars, usually it’s to gain attention and they “TAG” it with their call sign. Just the same as tagging a wall.

    Your points just went way up with me with the VW thing. ;-) Since I am big into the VW/AUDI/PORSCHE racing circuit.

  18. Jonathan

    Feels like we’re back in grade school now… “oh, sweet, I can hack that site!!!!!111″ Honestly, grow some balls, this is not web 1.0 anymore.

  19. ShoeMoney

    cost me nothing. this server doesnt have much on it but my blog and a few other sites that I am playing around with.

    To be honest its probably a really good thing that it happened. I had about 80 or so sites on this box that were totally abandoned or I wanted to dump anyway. This just gave me a kick in the pants in that department

  20. Fredto

    The only funny part about that is the hacker himself.

    His French sucks so much, my eyes still bleeds ;p

    Glad to have ye back, Shoe.

  21. john

    which version of PHPBB2 were you using? The reason I ask is because I too have a PHPBB2 and want to avoid going through when you went through. Is there a fix out there?

    Glad to see you are back!

  22. wesley

    was it the latest version of phpbb you had? Are there exploits out there that aren’t yet fixed by phpbb team?

  23. Pingback: » Shoemoney defaced

  24. Zeeshan

    This type of attack could have been contained to only that specific Web site (your friends’) if PHP was executed in such a fashion that it had to adhere to a non-Apache user and group.

    Often people run PHP via mod_php and therefore scripts inherit the UID/GUID of Apache, which is very unsafe, causing one script to be faulty and have all of the remaining sites get affected or have their private contents easily read (say database login information in a PHP configuration script).

    You can apply a patch to suexec to execute the PHP under CGI mode to get back security, or if you wish to get security and performance, use FastCGI, which exceeds the performance of mod_php while giving back application safety.

    View http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html for more information. Lighttpd, an alternative to Apache, has native support to run PHP via FastCGI and can be found at http://www.lighttpd.net/ .

    Good luck.

  25. Pingback: » From Shoemoney.com - Yeap I got defaced - Best AdSense News

  26. Pingback: Want Links? Have Your Site Hacked! | Xuru

Comments are closed.