Hacked Hacked Hacked Went the Website

Hacked By Owner DzzLast night, if you came by Frankly Curious, you did not see our delightful “Legoland” Don Quixote graphic, but instead a white screen with the ominous words printed on it, “Hacked By Owner Dzz.” All things considered, it was a harmless hack. It didn’t destroy any data. But it did the same thing to all of my websites, which are stored on the same server. I assume it did the same thing to other people’s websites, but I’m not sure.

The hack was not inspired. Apparently what happened was that someone got access to my database and managed to change the character encoding from 8-bit UTF to 7-bit. This then allowed them to hack the widgets you see on the right (the calendar, the search box, and so on). So it put in a text widget that contained the following JavaScript:

document.documentElement.innerHTML =
unescape(‘%48%61%63%6b%65%64%20%42%79%20%4f%77%6e%65%72%20%44%7a%7a’);

All that does is replace the webpage with what’s inside the “unescape” function. And what’s inside there is a hexadecimal listing of, “Hacked By Owner Dzz.” But that wasn’t all. It also renamed the site, “+ADw-/title+AD4-Hacked By Owner Dzz+ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-” But more annoying, instead of leaving all my widgets alone, it deactivated them all, making it a mess to put the site back to where it was. In the end, my hosting provider was nice enough to restore all my sites with the backup made earlier that day.

I wrote the other day that I just didn’t understand why people continued to vote for Republicans when everyone knows that Republicans don’t care about anything but helping out their rich buddies. But I also don’t understand hackers of this type. I do understand hackers of other types. Looking for vulnerabilities in software is incredibly interesting — and given the way the world is, a noble endeavor if done to detect and fix rather than destroy. I even understand hackers who are angry or simply trying to make a point. But that’s not what’s going on here.

Hacked or Just Pissed On?

This is just malicious mischief. There is nothing new about it. Whoever did it just read about it on some hacker website. They went around looking for a weak password, and found one. Given that Frankly Curious is hosted on a shared website with hundreds of other people, I assume it wasn’t one of my passwords. I’ve been thinking for a while that I need to upgrade my hosting to a virtual private server (VPS), and this incident really highlights this case. But I’m not sure how much help I would get with that.

Last night, Scott at Reliable Webs provided the usual exceptional service. Within two minutes of my alerting them to the problem, I got a personal response. And then they worked on the problem in tandem with me. And when it was all done, they restored my sites. They are also now trying to figure out when and how the hacker got in. But I’m not sure they even offer VPS, and I’m sure not in the market for a dedicated server.

I had hoped that I would be able to get all of yesterday’s comments back, but that did not work out. I did read and respond to them all. And I still have them! But I was unable to get my full XML export of the site to re-import, probably because the site is so large at this point.

Regardless, the whole thing makes me very frustrated. It’s kind of like finding out that a 13-year-old boy was pissing on your doorstep to mark his territory. You see that in the message, “Hacked By Owner Dzz.” Now the site is owned by Dzz? No. Just like the 13-year-old boy, Dzz just stunk up the place and moved on. There’s a lot of that in the world. There are 13-year-olds practicing the violin and then there are ones who are pissing on your porch. On the net, the vast majority of people are trying, in their way, to be constructive. But these kinds of hackers (and the related spammers) add nothing — they just create damage because they apparently have nothing else better to do.

Update

Here is a discussion of the same thing by a hacker named Yz_Byte. That was two years ago.

Update: 16 March 2016 8:00 pm

This is what I received from my hosting company:

On Wednesday, March 9th, some WordPress sites hosted on one of our servers were hacked. The hack changed some database fields, which included the field that is the default used for the site’s title and is displayed by some themes near the top of your pages. It also changed the character set value which caused some characters to appear incorrectly on the page. Additionally, it created a widget which may or may not have appeared in the sidebar of your site, depending on whether your theme was using widgets or not. The hack did not change any of the posts, images, or other content…

The cause of the hack was a vulnerability in shared hosting servers that use the cpanel control panel software. Reliable Webs has additional security software on our servers that prevent that vulnerability from being exploited, but unfortunately on your server it wasn’t configured correctly. A hacker gained access to one of the sites hosted on the server, either by guessing its password or exploiting an outdated WordPress installation, and then from there was able to guess the paths to the configuration files of other WordPress sites hosted on the same server. If they guessed the path correctly (which isn’t hard to do if the cpanel username is similar to the domain name) then they were able to read the configuration file (wp-config.php), which gave them the database password and the ability to change records in the database.

That’s the extent of it. What I know from my day job is that it is critical to keep software updated. I’ve written a lot about hacking, and attacks often occur long after patches have been released to address them. But even with a VPS, getting into one WordPress installation is probably enough to get into them all. I mean a server is a server. A VPS would only protect one VPS from another, not the accounts on any given VPS. It’s scary, because it means just one weak link is all it takes.

26 thoughts on “Hacked Hacked Hacked Went the Website

  1. It’s digital graffiti, no different than employing a can of spray paint. And while I understand the alienation that sometimes motivates graffiti and tagging, I think it was a big mistake when the liberal consensus decided to normalize that behaviour.

    • I was just thinking the same thing! In both cases you have some rare examples of principled work (hacking a government spy site, for instance, or politically conscious graffiti). But for the most part it’s just a mess some poor person has to take time to clean up.

      Years ago I knew a fellow who was sick of painting over graffiti on his garage door. So he waited, and caught one of the kids, and told him to spread the word; there would be a day for all the local taggers to come and really do some nice work. They came, and did a mural about the neighborhood; diverse faces, police intimidation, etc. The man really liked it and hoped taggers would respect it enough to leave it alone. And they left it alone. But the city eventually made him paint it over.

    • Yeah, but it’s like graffiti using a stencil that someone else created. Just as with graffiti, hacking can be an amazingly creative activity. I don’t get this stuff, just like I don’t get tagging. It’s too much, “I was here?” And that’s just begging the rest of the world to respond, “So what?!”

  2. Having to deal with actual teenagers, I wonder why the adults in my life didn’t bury my body in the desert. Good grief.

    • That’s true. I remember reading an essay when I was in college calling for abortions up to the age of 18. It would, however, be much harder to abort a 17 year old than a 1 year old. It was funny, but I don’t actually know what the writer was saying. I think it was just that children suck. But you could see it as an anti-abortion polemic.

      I should be clear: I suspect that our 13-year-old is more like a 30-something without much of a life.

        • I think most people that are into hacking are, at base, gnostics: they like the idea of having secret knowledge. So they is something more to it than simply tagging a website.

          It would almost certainly be a guy, but there certainly are female hackers.

            • It is a silly masculine trait. That’s because we’re the ones who can write our names in the snow, as well as the ones who want to.

  3. Frank, I run a VPS and ALL of my sites were also defaced in the same way, in the same week as your attack. We were running firewalls and security plugins on each WP site, had “hardened” all the typical elements, all passwords 20+ random characters, etc., and had a firewall and strong mod security rules on the server itself. I still cannot figure out how the hacker was able to attack the database tables. Have you learned any more about how that was accomplished?

    • I have some info on this. I will edit this comment when I get back and add it.

      I’ve added an update. It contains all that I know. It’s sad that we have to deal with this stuff.

      • Frank, thanks for that update and additional information. It certainly gives me a lot to think about! I agree with you, shared hosting at the VPS level should not have this vulnerability. We think we are paying for a little more separation – if not firewalling – from the other accounts on a shared server. But it sounds like that it certainly not the case.

        • The problem is that every machine really needs an experienced SA. And even still, stuff happens. It’s a constant fight. The thing about a full-time SA is that they can spend a lot of time interacting with other SAs to find out what’s happening. I just want to run my blog. It still bothers me that I get more spammers on this site than actual people. And the bigger the site gets, the more spammers come. It doesn’t bother me personally, but it wastes my bandwidth. It offends my sense of how society should run. There’s all this wasted effort when these people could be doing something positive.

          One reason I haven’t gone to VPS is that I would want a managed VPS. And I got my first Unix SA gig in 1988. But I don’t want to deal with it. I don’t want to spend my time worrying about hardening my site and similar things. And in the grand scheme of things, FC is nothing. Ugh. I wish you well in your endeavors. It really does suck though!

    • Just to change the encoding back to 8-bit and then go into your widgets and delete the one that the hacker created. That means that all of your old widgets will have to be recreated. If you or your host has a backup, that’s the best way to go.

      It’s frustrating, but generally not that damaging.

      If you haven’t already, you should contact customer support at your hosting company. Assuming you are using shared hosting, this has probably affected many different people.

    • For those who have seen hacks by “Owner Dzz” or his alt Nic “Zranger Super”, the deface is only a part of what may have happened. There are ties to some serious hackers who are quite capable of not leaving tracks if you do not have full logging, patch management and managed AUTOMATICALLY updated WordPress, or use Joomla, Magenta or other FREEWARE for CMS or CRM. If it is vulnerable, this hacker and their teams are quite capable of breaching an entire server. Some in the group are novice, but there are others in the groups that WILL do damage. THE FOLLOWING is an AI report on this hacker,*It is NOT formatted for this purpose but has the data you need to know.

      FINDING
      Hackers ZH stats (ZH stats only)
      Positive : Total notifications: 19,173 of which 6,836 single ip and 12,337 mass defacements

      Hackers Team stats (ZH stats only)
      Positive : 10,465 of which 2,370 single ip and 8,095 mass defacements

      Hack mirror for the Hacker
      Positive: As Owner Dzz Team Owner Dzz in early 2016

      Hack Mirror for Team
      “Positive: 5 sites in Italy. Hacker Handle
      HIS AKA: “Zranger Super” flew under the “”DRS Dz Team”” Banner on 3-26-2016 flew under “”Anonymous Arab”” teams banner 4-15-2016 to 5-10-2016 ”

      Facebook Lookup
      Negative for this name

      Facebook Lookup Team
      Negative under Owner Dzz, Positive under D.R.S. Dz Team
      https://www.facebook.com/D.R.S.Dz.Team/
      Pastebin Hacker Lookup
      Negative : Owner Dzz Negative: Zranger Super

      PasteBin Team
      Negative: Owner Dzz. Positive: D.R.S Dz Team (BOT NET SCRIPTS, SHELLS, DEFACES, EXFIL, Data Exfil, Credential Scrapes, RATs, Malware, Account Creation)
      https://pastebin.com/cEWspZ4D

      Negative on p_82ui191.jpg. Positive on “Hacked by Owner Dzz”
      Deface code at https://pastebin.com/cEWspZ4D
      Google Hacker
      Multiple Positives

      Google Team
      Multiple Positives

      Bing Hacker
      FOUND IN BING LIST OF HACKED SITES >> We Are : Said-Verde-Rosso | Fouzi Baws-DZ | | Chitane Dz | Ox_fares | Fayssal Plas Doz | Owner Dzz | Farouk General

      Bing Team
      FOUND IN BING RESULTS > TEAM SITE ON FACEBOOK > https://www.facebook.com/D.R.S.Dz.Team/

      Bing A String or Image Filename
      Negative

      Associates Found
      [+] GreetZ : imam , D.R.S Dz Team , darkshadow-tn , rxR , GeNErAL , Ihab Pal , Magnom Danzo , Tobitow and all muslim hackers [+]

      Uses alt handle of Zranger Super also.

      Never assume because it looks like a script kiddie that it is one. It may be, they copied your entire DB Out, and they may have left modifications in critical files.

      IF YOUR BUSINESS WEBSITE IS HACKED, EVEN IF IT LOOKS TRIVIAL, CALL YOUR LOCAL FBI OFFICE AND REPORT IT!

      • Thanks for the info. That’s a very good point that we should make general: benign hacks can be used for others for very malignant purposes.

Leave a Reply

Your email address will not be published. Required fields are marked *