It was a pleasant Sunday afternoon. Not much distraction in the day. The sun was out, the grass was green. Even though it was a Sunday in the beginning of November, it wasn't cold out. Rather, the sun warmed the land to a pleasant temperature of 70 degrees Fahrenheit. My phone does the classical android ring. An email pops up from my old boss describing a hack on his party store website in three short sentences, with a memo to call soon.
Well, there goes my night and plans to chill under the stars, I guess.
Instead I open up my rickety laptop and plug it in to my dock. It connects to an external monitor and I got to work.
I began editing the files of the site. The hacker did a mediocre job of covering his tracks. Log files were all in place, and I was able to discern that the IP's of the people who hacked the site were from Bangladesh. Easy enough, I thought.
The whole process was quite easy. Doing a quick audit of the site I found the suspicious files in question. 'i47' '1337' 'dbkiss' 'toor' etc. etc. All classical naming conventions for a cliche hacker. Nothing to it, just delete the offending files, send the site back in to the client, and that's it. Will there be enough time to chill and watch the stars?
My hopes went up.
Alas, my curiosity overtook me, I had to look through and find out the vulnerability exploited, and how. What estranged sleep-deprived college student would not?
What estranged sleep-deprived college student would not?
The exploit preyed on out of date WordPress plugins, then symlink bypassed the server to gain access to the website file directories. The rest is history.
The hacked site was most notably defaced by "HACKED by R3DC0D3R". Within the files giving access to the attacker, the username used to dbkiss into the database was R3dc0d3r, too. Interesting, didn't even know hackers still named themselves like some superficial hacker celebrity from 1993.
A quick Google search came up with a Youtube channel going by R3dC0D3R. I got lucky, it described the entire process through which to 'Symlink Bypass' a server on WordPress. Phew that saved me some work. The videos go through the exact process the hacker did, right here. Interestingly, the same user has multiple channels describing his processes. Like this one.
I restored the website to it's former glory, no funny business going on anymore. Yet, in researching the people who hacked the site, I came across a curious forum named "Cyb3rSw0rd". Uh-oh, it seems R3DC0D3R has some friends. Lets see what they are up to.
This is their ABOUT page:
Funny: In their world, 'Security' does not exist in the dictionary.
Otherwise, they salute Islamic Hackers who "Fight for the Human Right".
At this point, I concluded I was dealing with some kind of Islamic Hacker group out to get my boss. Frankly, I found it kind of amusing. At the time, I thought nothing of it. In fact, I thought it a great idea to provoke them!
So I did. I went on their forum and made a particularly inflammatory post. I mean, if they operate on the clearnet, they should expect the worst, right? Here is how it went
Then they responded in psuedo-broken english:
Are Your Mind?!?!Deeply Philosophical Quote by Cyb3rSw0rd Hacker
I checked if I could get anything else out of them:
OK so, maybe my methods were not the best. I cursed them out a bit, criticized their forum design, shouted out some stereotypes. I even tried scaring them a bit with that last sentence. Did I go too far? I don't think so. Even so, the posts were made to be awkward, I was going for something funny, but I guess I just have a sick sense of humor.
Besides, these guys sicken me. Every time I look through that forum, I see posts of people looking to fix their site. Cyb3rSw0rd will get it back up for them, but at a ransom. It's like gang 'protection' all over again. Before running into this problem with my bosses site, I honestly had no idea stuff like this existed.
Then, the shootings, by ISIS, in Paris happened. It was and still is, scary. My heart goes out to all those who were affected.
I didn't correlate the two events at first. When I did, I wondered if this amusing and seemingly ineffective hacker group had something to do with ISIS. So, I headed back over to the forum and asked. I could supply you with another image, but they never responded. I didn't point any fingers, just asked if they by any chance operated under ISIS.
Since I received no response, I cannot say for sure. My intuition, however, says they do not. I feel like they would be a bit more explicit on their About Me page if they did.
Still, I didn't get to chill under the stars that night...Each to their own, I guess.
An email to the owners of out-of-date WordPress plugins at the time said they had already updated with a patch after finding out about the vulnerability. It was mostly my bosses fault for not updating the Plugins which got him into this situation.
I see you reddit ;)
Anyway, I'm not the most experienced hacker to protect against attacks, and the information in this article may be off. I am by no means an expert. To be honest, most of the time I didn't really know what I was doing, but since my boss didn't want to pay for a professional service and I would do it for next-to-nothing, I figured it would be an interesting learning experience and a step on the way to figuring out the more intricate details of some hacking procedures. It was not as one may call 'high-risk', either, the website isn't integral to his business, and I informed him of my inexperience before he handed me the task. I wrote this article mostly for entertainment value, and thought it would be a good first article to post to my new blog.
I hope you enjoyed the article! If you did, make sure to share it around on Social Media :D