Yes, the "hackers" have been hacked pretty badly. Up until now, even though the site has been brought back from the hell, it’s still suffering from the damage. A lot of the posts are still missing images or having the wrong images on them, and the traffic are considerably low comparing to the days before the attack. We are still working on fixing them as we speak.
So, what really happened? To be honest, still not quite sure. It could be one of the plugins we installed that opens the door to the hackers or could be the web server that’s vulnerable, or could be both. But without the help from the hosting company, I had no way finding it out.
It’s quite a story if you want to hear. I believe it all started about a month ago when I noticed one of our Ad spot got hacked and injected with hacker’s own Adsense Publisher ID. I had been fighting with them since then.
- I reported the unauthorized Adsense Publish ID "ca-pub-0836887287587273" to Google Adsese but got no reply from them.
- I filed up a ticket to my hosting company, Arvixe, suggesting a conduct to investigate the issue but was told it could just be my site that’s vulnerable.
- I kept changing the codes on the site trying to make hard for the hackers to steal the money from us.
And when I thought I eventually overcame them, I lost the war completely early yesterday morning. These bastards managed to completely wipe out the whole website, including the backend database. All I saw when I logged into FTP is a blank folder with nothing in it, not even a single file like default.htm.
Totally doomed. Out of the hope of restoring it on our own because we don’t have the latest backup, I submit an urgent ticket to my hosting support asking a restore from the latest backup. And that’s when another nightmare started.
8:04am: ticket submitted
8:18am: asking which backup to restore, April 7 or April 9.
8:21am: I informed them to use April 9′s backup
9:31am: I informed them that the database also needs to be restored.
10:29am: asking how long it takes.
12:55pm: asking again.
5:08pm: got response back informing me that they have queued the restoration of data and they will update me once it’s finished.
6:02pm: got another response telling me that they are facing some issues restoring the backups and they are currently trying to troubleshoot the issues.
No communication from them for the rest of the day.
6:21am: response saying that sorry for the inconvenience caused…"Unfortunately the restoration process was interrupted due to some network problems. I have re-initiated the process now, You will be updated once it is completed. Mean while your patience is greatly appreciated.".
11:27am: after another 5 hours waiting with no response. I asked them again what the status was.
1:45pm: got response from their Technical Operation Officer telling me that the issue is still being looked into by a lead admin, and they are working on it actively.
No matter how active they were or are, that’s the last words I heard from the so-called tech support.
With no hope restoring the site from the latest backup, we started our manual process and managed to partially bring the site live around 5:00pm on Day 2 of the incident. Because we restored it on another web server we need to update the DNS to reflect the change. Because DNS changes take time to propagate, some of users out there may still not be able to connect to us.
It’s a hard hit and we’ve learned the lessons a tough way. The hardest lesson we learn is not to have our own backups and we ensure we will do that by our own from now on.
Sorry to those who came to our site hoping to get useful information to solve their problems but only found a 500 error page. Thanks to those who didn’t stop and came back.
Last words to you, the hacker who brought us down. You have won the battle and got rewarded not seeing us being online fighting for the "hacker" title for the past two days. So please leave us alone from now on. After all, we are the "hackers" with quotation marks that only help people.