Labnol: Our Theories On What Happened

labnol hackedLabnol, (or Digital Inspiration) and all of Amit’s blogs and websites were recently taken down by hackers (Fortunately, they’re back now).

Here are few theories on how hackers gained access, and how you can be safe.

What we know –

  • All sites by Amit were deleted
  • The hacking happened before 30 June 11:32PM, most probably in a 24 hour timespan.
  • They were up and running around 1st July, 9 – 10 PM.

You can refer Amit’s Tweet here: https://twitter.com/labnol/status/219317563564367872

How did the hackers get in?

There are many theories on this. Here are few of them, ordered by plausibility –

  • 1. Bruteforce attack on cPanel – If Amit Agarwal had a weak cPanel password, there are chances that his password was bruteforced. Bruteforcing is a technique, in which the person uses as many combinations of letters as he can. The hacker usually starts out with dictionary words, then include numbers, names, birthdates, and so on. If the sites were hacked using bruteforce, it could’ve taken around 1 – 25 hours for the hacker.
  • 2. Learning Amit’s password elsewhere, then trying it on cPanel/WordPressIf Amit has same passwords on every site he used, Hackers could’ve cracked a smaller, weaker site he might have registered on, got his credentials, then tried it on his cPanel/WordPress. If they worked there, they were lucky, or else they might have figured out a pattern in the password, which they then tried applying to his cPanel/WorPpress. LinkedIn was recently hacked. Could it be that hackers got Amit’s password from there, and then used it on his blog?
  • 3. Exploiting a WordPress plugin – If Amit installed a plugin recently, it could be that the plugin was vulnerable, and hackers got access exploiting it’s vulnerability.
  • 4. Exploiting WordPress’ Vulnerability(ies) – Now, this may seem the least likely to you, but there’s still a small chance that one WP’s loophole’s were exploited.

If you believe that WP doesn’t HAVE any loopholes, think about this:

What are those “fixes” that are done on every version of WordPress?

Uh-oh! What can I do?

  • 1. Try to change your cPanel username. You have to contact your host for this, most hosts don’t entertain this change, but if your’s do, you’re a lucky person :D.
  • 2. Increase your password strength. Your password should be at least 12 characters long. Preferably, having a few numbers, and special characters mixed in (!, 1, 7, *). The way this comic shows is okay too. Below I mentioned some useful resources for a secure password.

    – Tips For Creating Secure And Strong Passwords

    – Is Your Password Hackable? [INFOGRAPHIC]

  • 3. Change your WordPress username. If the people know your username, they already have a puzzle piece in place. Your name shouldn’t be the username, while the generic “admin” is the worst. Changing your username sure gives a extra level of security. (Also, make sure your nickname, which is shown on comments and posts, is different)
  • 4. Keep different passwords everywhere. If Amit’s blog was hacked using #2, it’s a good indication that you too have to have different passwords. For example, if the password to your Facebook account and that shady site you were suspicious of are same, that’s certainly not a good thing.
  • 5. Keep making regular backups. Backup your database, your wordpress posts, everything. Some useful posts about “WordPress backup”.

    – Using phpMyAdmin To Backup WordPress Database

    – Solid Tips For WordPress Backups [Simple Guide]

Conclusion

I hope that hacking of a big site like Labnol gives a lesson to everyone, you are never to secure. Be sure to follow the above tips, and you’ll (most likely) be safe.

USEFUL: 20+ Basic Tips To Protect Your WordPress Blog

This article is written by Namanyay Goel. He’s a freelance web and graphic designer. He blogs at Mos Le Tech, where you can find design articles, tips and tricks, and tutorials.

European Space Agency (ESA) Website Hacked!

A hacker reportedly compromised ESA, opening up sensitive project logs and exposing hundreds of email addresses and passwords associated with some of Europe’s top science institutes.

The European Space Agency (ESA), an intergovernmental organization dedicated to the exploration of space, was hacked yesterday which revealed sensitive project logs and other confidential details.

The hacker was also able to access the agency’s space projects which includes satellite activities, calibration sources and environmental details.

The hacker reportedly known by the alias TinKode, provided full disclosure on his site.

ESA HQ

The European Space Agency (ESA) currently has 18 member states. Headquartered in Paris, ESA has a staff of more than 2,000 with an annual budget of about €3.99 billion / $5.65 billion US dollars (2011). ESA was established in 1975.

In his blog, he displayed the preview of Root accounts, Emails, FTPs, etc.

GoDaddy WordPress Blogs Infected With Malware [Alert]

Majority of WordPress blogs hosted on GoDaddy were infected with some kind of malware for the past few days. Just now confirmed this news with some sources.

GoDaddy released this statement on 09-18-2010 at 2:43pm CST,

An exploit affected PHP files on approximately 150 Go Daddy accounts Friday afternoon. Go Daddy’s Security Team worked quickly to clean and restore these websites, however, we have detected additional customer sites that may currently be experiencing difficulties due to this same attack.

Go Daddy’s Security Team has identified the cause. Our forensics have determined malicious files are being uploaded via FTP to customer websites. Go Daddy is asking all customers who believe they have a problem to change their FTP passwords.

Meantime, our team is working swiftly to restore all affected websites and appreciates customer feedback. Go Daddy will continue to monitor as long as it takes to ensure our customer accounts are clean.

If you suspect your site was impacted, please fill out our security submission form, located here – https://www.godaddy.com/community/contactus.aspx?ci=15534&section=support.

Thank you,

Todd Redfoot
Go Daddy Chief Information Security Officer


Common Symptoms Of This Malware

  • If you visit the infected website/blog, it redirects you to websites like , http://www4.megaav-soft74.co.cc, etc.
  • The .php files located on the server have the same “last modified” date and approximately the same time.
  • You can find a long code like “< ?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc..." at the top of .php files. These are the codes used to insert a malicious javascript on many sites hosted at GoDaddy.
  • If you check the source code of that infected website, you can find these JavaScript codes.
  • <script src="http://myblindstudioinfoonline.com/ll.php"> </script>

    Or

    <script src="http://theblindstudioinfoonline.com/ll.php"> </script>


If Your Blog Is Infected By This Malware

You really need to calm down (like I did :D) and just follow the below mentioned basic steps.

  • Just stay calm and run a virus scan on your computer to make sure it is not infected.
  • Use a maintenance plugin and make your site inaccessible so that your visitors won’t be infected with this malware.
  • Change the password for FTP and WordPress.
  • Try this simple solution to remove all the malware.

    http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-the-latest-wordpress-hack.html

  • Remove the “eval(base64_decode(“aWYoZnVuY3Rpb….” codes from your theme files.

P.S. It is recommended to use the latest version of browsers.


Google’s Safe Browsing Report

According to Google’s Safe Browsing report,

Google Safe Browsing Report


If you are facing serious issues, then contact GoDaddy or Security service like Sucuri.