Last night, if you came by Frankly Curious, you did not see our delightful “Legoland” Don Quixote graphic, but instead a white screen with the ominous words printed on it, “Hacked By Owner Dzz.” All things considered, it was a harmless hack. It didn’t destroy any data. But it did the same thing to all of my websites, which are stored on the same server. I assume it did the same thing to other people’s websites, but I’m not sure.
The hack was not inspired. Apparently what happened was that someone got access to my database and managed to change the character encoding from 8-bit UTF to 7-bit. This then allowed them to hack the widgets you see on the right (the calendar, the search box, and so on). So it put in a text widget that contained the following JavaScript:
unescape(‘%48%61%63%6b%65%64%20%42%79%20%4f%77%6e%65%72%20%44%7a%7a’);
All that does is replace the webpage with what’s inside the “unescape” function. And what’s inside there is a hexadecimal listing of, “Hacked By Owner Dzz.” But that wasn’t all. It also renamed the site, “+ADw-/title+AD4-Hacked By Owner Dzz+ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-” But more annoying, instead of leaving all my widgets alone, it deactivated them all, making it a mess to put the site back to where it was. In the end, my hosting provider was nice enough to restore all my sites with the backup made earlier that day.
I wrote the other day that I just didn’t understand why people continued to vote for Republicans when everyone knows that Republicans don’t care about anything but helping out their rich buddies. But I also don’t understand hackers of this type. I do understand hackers of other types. Looking for vulnerabilities in software is incredibly interesting — and given the way the world is, a noble endeavor if done to detect and fix rather than destroy. I even understand hackers who are angry or simply trying to make a point. But that’s not what’s going on here.
Hacked or Just Pissed On?
This is just malicious mischief. There is nothing new about it. Whoever did it just read about it on some hacker website. They went around looking for a weak password, and found one. Given that Frankly Curious is hosted on a shared website with hundreds of other people, I assume it wasn’t one of my passwords. I’ve been thinking for a while that I need to upgrade my hosting to a virtual private server (VPS), and this incident really highlights this case. But I’m not sure how much help I would get with that.
Last night, Scott at Reliable Webs provided the usual exceptional service. Within two minutes of my alerting them to the problem, I got a personal response. And then they worked on the problem in tandem with me. And when it was all done, they restored my sites. They are also now trying to figure out when and how the hacker got in. But I’m not sure they even offer VPS, and I’m sure not in the market for a dedicated server.
I had hoped that I would be able to get all of yesterday’s comments back, but that did not work out. I did read and respond to them all. And I still have them! But I was unable to get my full XML export of the site to re-import, probably because the site is so large at this point.
Regardless, the whole thing makes me very frustrated. It’s kind of like finding out that a 13-year-old boy was pissing on your doorstep to mark his territory. You see that in the message, “Hacked By Owner Dzz.” Now the site is owned by Dzz? No. Just like the 13-year-old boy, Dzz just stunk up the place and moved on. There’s a lot of that in the world. There are 13-year-olds practicing the violin and then there are ones who are pissing on your porch. On the net, the vast majority of people are trying, in their way, to be constructive. But these kinds of hackers (and the related spammers) add nothing — they just create damage because they apparently have nothing else better to do.
Update
Here is a discussion of the same thing by a hacker named Yz_Byte. That was two years ago.
Update: 16 March 2016 8:00 pm
This is what I received from my hosting company:
The cause of the hack was a vulnerability in shared hosting servers that use the cpanel control panel software. Reliable Webs has additional security software on our servers that prevent that vulnerability from being exploited, but unfortunately on your server it wasn’t configured correctly. A hacker gained access to one of the sites hosted on the server, either by guessing its password or exploiting an outdated WordPress installation, and then from there was able to guess the paths to the configuration files of other WordPress sites hosted on the same server. If they guessed the path correctly (which isn’t hard to do if the cpanel username is similar to the domain name) then they were able to read the configuration file (wp-config.php), which gave them the database password and the ability to change records in the database.
That’s the extent of it. What I know from my day job is that it is critical to keep software updated. I’ve written a lot about hacking, and attacks often occur long after patches have been released to address them. But even with a VPS, getting into one WordPress installation is probably enough to get into them all. I mean a server is a server. A VPS would only protect one VPS from another, not the accounts on any given VPS. It’s scary, because it means just one weak link is all it takes.
It’s digital graffiti, no different than employing a can of spray paint. And while I understand the alienation that sometimes motivates graffiti and tagging, I think it was a big mistake when the liberal consensus decided to normalize that behaviour.
I was just thinking the same thing! In both cases you have some rare examples of principled work (hacking a government spy site, for instance, or politically conscious graffiti). But for the most part it’s just a mess some poor person has to take time to clean up.
Years ago I knew a fellow who was sick of painting over graffiti on his garage door. So he waited, and caught one of the kids, and told him to spread the word; there would be a day for all the local taggers to come and really do some nice work. They came, and did a mural about the neighborhood; diverse faces, police intimidation, etc. The man really liked it and hoped taggers would respect it enough to leave it alone. And they left it alone. But the city eventually made him paint it over.
Yeah, a mural is a different animal. Those are usually sponsored, or at least permitted.
There is unintentional collaborative art. I’m amazed that what can be created by years of graffiti. But then, I’ve always found Pollock’s work interesting.
Oh I remember the hysteria that Howard Dean generated by his acceptance of tagging as a legitimate art form.
Then I guess only a dork would support Dean!
(Sorry the rest of you; that’s an inside joke.)
Damn straight dorks supported Dean.
Yeah, but it’s like graffiti using a stencil that someone else created. Just as with graffiti, hacking can be an amazingly creative activity. I don’t get this stuff, just like I don’t get tagging. It’s too much, “I was here?” And that’s just begging the rest of the world to respond, “So what?!”
Having to deal with actual teenagers, I wonder why the adults in my life didn’t bury my body in the desert. Good grief.
That’s true. I remember reading an essay when I was in college calling for abortions up to the age of 18. It would, however, be much harder to abort a 17 year old than a 1 year old. It was funny, but I don’t actually know what the writer was saying. I think it was just that children suck. But you could see it as an anti-abortion polemic.
I should be clear: I suspect that our 13-year-old is more like a 30-something without much of a life.
Can’t he (and I am positive it is a he) do what most guys who are bored and find some twitter feud to be part of?
I think most people that are into hacking are, at base, gnostics: they like the idea of having secret knowledge. So they is something more to it than simply tagging a website.
It would almost certainly be a guy, but there certainly are female hackers.
I could believe that. But it seems like such a silly thing to do and kind of a masculine trait.
It is a silly masculine trait. That’s because we’re the ones who can write our names in the snow, as well as the ones who want to.
“Clean your room this minute! Don’t make me call the clinic!”
It would make parenting much easier — kind of like having a pet.
He deserves the Ping Of Death.
Don’t say that. Next I’ll get a DDoS attack!
Frank, I run a VPS and ALL of my sites were also defaced in the same way, in the same week as your attack. We were running firewalls and security plugins on each WP site, had “hardened” all the typical elements, all passwords 20+ random characters, etc., and had a firewall and strong mod security rules on the server itself. I still cannot figure out how the hacker was able to attack the database tables. Have you learned any more about how that was accomplished?
I have some info on this. I will edit this comment when I get back and add it.
I’ve added an update. It contains all that I know. It’s sad that we have to deal with this stuff.
Frank, thanks for that update and additional information. It certainly gives me a lot to think about! I agree with you, shared hosting at the VPS level should not have this vulnerability. We think we are paying for a little more separation – if not firewalling – from the other accounts on a shared server. But it sounds like that it certainly not the case.
The problem is that every machine really needs an experienced SA. And even still, stuff happens. It’s a constant fight. The thing about a full-time SA is that they can spend a lot of time interacting with other SAs to find out what’s happening. I just want to run my blog. It still bothers me that I get more spammers on this site than actual people. And the bigger the site gets, the more spammers come. It doesn’t bother me personally, but it wastes my bandwidth. It offends my sense of how society should run. There’s all this wasted effort when these people could be doing something positive.
One reason I haven’t gone to VPS is that I would want a managed VPS. And I got my first Unix SA gig in 1988. But I don’t want to deal with it. I don’t want to spend my time worrying about hardening my site and similar things. And in the grand scheme of things, FC is nothing. Ugh. I wish you well in your endeavors. It really does suck though!
I juste got hacked by the same person on a dedicated server. This is beyond frustrating. Have you found out anymore info?
Just to change the encoding back to 8-bit and then go into your widgets and delete the one that the hacker created. That means that all of your old widgets will have to be recreated. If you or your host has a backup, that’s the best way to go.
It’s frustrating, but generally not that damaging.
If you haven’t already, you should contact customer support at your hosting company. Assuming you are using shared hosting, this has probably affected many different people.
For those who have seen hacks by “Owner Dzz” or his alt Nic “Zranger Super”, the deface is only a part of what may have happened. There are ties to some serious hackers who are quite capable of not leaving tracks if you do not have full logging, patch management and managed AUTOMATICALLY updated WordPress, or use Joomla, Magenta or other FREEWARE for CMS or CRM. If it is vulnerable, this hacker and their teams are quite capable of breaching an entire server. Some in the group are novice, but there are others in the groups that WILL do damage. THE FOLLOWING is an AI report on this hacker,*It is NOT formatted for this purpose but has the data you need to know.
FINDING
Hackers ZH stats (ZH stats only)
Positive : Total notifications: 19,173 of which 6,836 single ip and 12,337 mass defacements
Hackers Team stats (ZH stats only)
Positive : 10,465 of which 2,370 single ip and 8,095 mass defacements
Hack mirror for the Hacker
Positive: As Owner Dzz Team Owner Dzz in early 2016
Hack Mirror for Team
“Positive: 5 sites in Italy. Hacker Handle
HIS AKA: “Zranger Super” flew under the “”DRS Dz Team”” Banner on 3-26-2016 flew under “”Anonymous Arab”” teams banner 4-15-2016 to 5-10-2016 ”
Facebook Lookup
Negative for this name
Facebook Lookup Team
Negative under Owner Dzz, Positive under D.R.S. Dz Team
https://www.facebook.com/D.R.S.Dz.Team/
Pastebin Hacker Lookup
Negative : Owner Dzz Negative: Zranger Super
PasteBin Team
Negative: Owner Dzz. Positive: D.R.S Dz Team (BOT NET SCRIPTS, SHELLS, DEFACES, EXFIL, Data Exfil, Credential Scrapes, RATs, Malware, Account Creation)
https://pastebin.com/cEWspZ4D
Negative on p_82ui191.jpg. Positive on “Hacked by Owner Dzz”
Deface code at https://pastebin.com/cEWspZ4D
Google Hacker
Multiple Positives
Google Team
Multiple Positives
Bing Hacker
FOUND IN BING LIST OF HACKED SITES >> We Are : Said-Verde-Rosso | Fouzi Baws-DZ | | Chitane Dz | Ox_fares | Fayssal Plas Doz | Owner Dzz | Farouk General
Bing Team
FOUND IN BING RESULTS > TEAM SITE ON FACEBOOK > https://www.facebook.com/D.R.S.Dz.Team/
Bing A String or Image Filename
Negative
Associates Found
[+] GreetZ : imam , D.R.S Dz Team , darkshadow-tn , rxR , GeNErAL , Ihab Pal , Magnom Danzo , Tobitow and all muslim hackers [+]
Uses alt handle of Zranger Super also.
Never assume because it looks like a script kiddie that it is one. It may be, they copied your entire DB Out, and they may have left modifications in critical files.
IF YOUR BUSINESS WEBSITE IS HACKED, EVEN IF IT LOOKS TRIVIAL, CALL YOUR LOCAL FBI OFFICE AND REPORT IT!
Thanks for the info. That’s a very good point that we should make general: benign hacks can be used for others for very malignant purposes.