Yesterday was a bad day for me when I received a tweet from a friend telling me that GoGreenPakistan.com was hacked. I checked the tweet on my phone and came online to check it and to my surprise it was hacked by some Hacker from Albania. I’m not sure what they wrote in there and I didn’t even bother to use Google translate to read it. Go Green Pakistan campaign is running at it’s peak and the website getting hacked was a set back for me. When I further investigated, I found out the whole web server was compromised and it was not just defacement. Initially I thought someone just defaced my websites.
Below is the screenshot of page that was uploaded on my websites:
All the personal websites of mine were hacked and defaced with a message “Hacked by #Albanian Hacker’s Terrorist”. Not just that, the guy deleted some of the root files and deleted some major folders from the Apache root which deleted all the information of the email accounts associated with all the domains. Beside that, the hacker deleted all the log files too. I tried to catch the IP address and the cause of the hack and found out that there was a file with a strange name placed on root of my server and then was accessed to destroy things. Unfortunately when I refreshed the directory, I found out the hacker still had the access to my server and was deleting things. The hacker deleted all the raw log files and cpanel settings which left no trace of the last login IP or access logs.
Fortunately, I had the backup of all the domains and I have set a way so get the backup of all the databases daily by email. So luckily I was able to restore most of the data. The server company has also helped me in restoring the data and they had a backup of my files too (which every server/hosting company promises). But so far, I’m still not able to recover my email address and their data, but I’m pretty much sure that the server company must have that too.
What I learned from this hack?
- Never leave any folder or file with CHMOD 777. Though I never had any folder or file as CHMOD 777 but still there might be some backdoor that I left open myself.
- Always keep a backup on regular basis.
- Third lesson, usually what everyone do (including me) is to keep the backup of the public_html or http directory. We usually don’t care about the other directories. That is absolutely wrong and I think I lost some of my data there.
- Biweekly do scan your system in case you are infected with some key logger which gave the direct username/password to your services.
- Biweekly do scan your server/hosting as well with antivirus.