inbetween 7am and 10am this morning the website looked like this:
As soon as I saw it had been defaced I took the server off line (about 10am). Imaged it then had the drive reimaged with a fresh clean OS. Then I started to restore from tape backup. While restoring I went through the old logs and figured out the person got in from a phpbb2 exploit. Basically they were able to exectute code on the server as the webserver user and this also means they were able to delete files and replace files owned by the webserver user…
Now why would I run phpbb2 ? well… I was hosting for a friend =(. Its probably a good thing this happened cause I also realized I was hosting about 80 other sites for free that were for family and friends but I am responsible for keeping them updated (which of course i lapsed) so ok everyone off!
I REALLY want to thank all the readers and friends out there who put out the ShoeSignal to notify me that my site had been defaced. I had been up all night working on some stuff and did not notice it until someone called my home number.
I had 52 emails, 16 voice mails, 13 SMS text messages from friends telling me my site had been defaced. Thank you 😉