Last night, if you came by Frankly Curious, you did not see our delightful “Legoland” Don Quixote graphic, but instead a white screen with the ominous words printed on it, “Hacked By Owner Dzz.” All things considered, it was a harmless hack. It didn’t destroy any data. But it did the same thing to all of my websites, which are stored on the same server. I assume it did the same thing to other people’s websites, but I’m not sure.
All that does is replace the webpage with what’s inside the “unescape” function. And what’s inside there is a hexadecimal listing of, “Hacked By Owner Dzz.” But that wasn’t all. It also renamed the site, “+ADw-/title+AD4-Hacked By Owner Dzz+ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-” But more annoying, instead of leaving all my widgets alone, it deactivated them all, making it a mess to put the site back to where it was. In the end, my hosting provider was nice enough to restore all my sites with the backup made earlier that day.
I wrote the other day that I just didn’t understand why people continued to vote for Republicans when everyone knows that Republicans don’t care about anything but helping out their rich buddies. But I also don’t understand hackers of this type. I do understand hackers of other types. Looking for vulnerabilities in software is incredibly interesting — and given the way the world is, a noble endeavor if done to detect and fix rather than destroy. I even understand hackers who are angry or simply trying to make a point. But that’s not what’s going on here.
Hacked or Just Pissed On?
This is just malicious mischief. There is nothing new about it. Whoever did it just read about it on some hacker website. They went around looking for a weak password, and found one. Given that Frankly Curious is hosted on a shared website with hundreds of other people, I assume it wasn’t one of my passwords. I’ve been thinking for a while that I need to upgrade my hosting to a virtual private server (VPS), and this incident really highlights this case. But I’m not sure how much help I would get with that.
Last night, Scott at Reliable Webs provided the usual exceptional service. Within two minutes of my alerting them to the problem, I got a personal response. And then they worked on the problem in tandem with me. And when it was all done, they restored my sites. They are also now trying to figure out when and how the hacker got in. But I’m not sure they even offer VPS, and I’m sure not in the market for a dedicated server.
I had hoped that I would be able to get all of yesterday’s comments back, but that did not work out. I did read and respond to them all. And I still have them! But I was unable to get my full XML export of the site to re-import, probably because the site is so large at this point.
Regardless, the whole thing makes me very frustrated. It’s kind of like finding out that a 13-year-old boy was pissing on your doorstep to mark his territory. You see that in the message, “Hacked By Owner Dzz.” Now the site is owned by Dzz? No. Just like the 13-year-old boy, Dzz just stunk up the place and moved on. There’s a lot of that in the world. There are 13-year-olds practicing the violin and then there are ones who are pissing on your porch. On the net, the vast majority of people are trying, in their way, to be constructive. But these kinds of hackers (and the related spammers) add nothing — they just create damage because they apparently have nothing else better to do.
Here is a discussion of the same thing by a hacker named Yz_Byte. That was two years ago.
Update: 16 March 2016 8:00 pm
This is what I received from my hosting company:
On Wednesday, March 9th, some WordPress sites hosted on one of our servers were hacked. The hack changed some database fields, which included the field that is the default used for the site’s title and is displayed by some themes near the top of your pages. It also changed the character set value which caused some characters to appear incorrectly on the page. Additionally, it created a widget which may or may not have appeared in the sidebar of your site, depending on whether your theme was using widgets or not. The hack did not change any of the posts, images, or other content…
The cause of the hack was a vulnerability in shared hosting servers that use the cpanel control panel software. Reliable Webs has additional security software on our servers that prevent that vulnerability from being exploited, but unfortunately on your server it wasn’t configured correctly. A hacker gained access to one of the sites hosted on the server, either by guessing its password or exploiting an outdated WordPress installation, and then from there was able to guess the paths to the configuration files of other WordPress sites hosted on the same server. If they guessed the path correctly (which isn’t hard to do if the cpanel username is similar to the domain name) then they were able to read the configuration file (wp-config.php), which gave them the database password and the ability to change records in the database.
That’s the extent of it. What I know from my day job is that it is critical to keep software updated. I’ve written a lot about hacking, and attacks often occur long after patches have been released to address them. But even with a VPS, getting into one WordPress installation is probably enough to get into them all. I mean a server is a server. A VPS would only protect one VPS from another, not the accounts on any given VPS. It’s scary, because it means just one weak link is all it takes.