We've Been Hacked

5

Yes, the "hackers" have been hacked pretty badly. Up until now, even though the site has been brought back from the hell, it’s still suffering from the damage. A lot of the posts are still missing images or having the wrong images on them, and the traffic are considerably low comparing to the days before the attack. We are still working on fixing them as we speak.

So, what really happened? To be honest, still not quite sure. It could be one of the plugins we installed that opens the door to the hackers or could be the web server that’s vulnerable, or could be both. But without the help from the hosting company, I had no way finding it out.

It’s quite a story if you want to hear. I believe it all started about a month ago when I noticed one of our Ad spot got hacked and injected with hacker’s own Adsense Publisher ID. I had been fighting with them since then.

  • I reported the unauthorized Adsense Publish ID "ca-pub-0836887287587273" to Google Adsese but got no reply from them.
  • I filed up a ticket to my hosting company, Arvixe, suggesting a conduct to investigate the issue but was told it could just be my site that’s vulnerable.
  • I kept changing the codes on the site trying to make hard for the hackers to steal the money from us.

And when I thought I eventually overcame them, I lost the war completely early yesterday morning. These bastards managed to completely wipe out the whole website, including the backend database. All I saw when I logged into FTP is a blank folder with nothing in it, not even a single file like default.htm.

Totally doomed. Out of the hope of restoring it on our own because we don’t have the latest backup, I submit an urgent ticket to my hosting support asking a restore from the latest backup. And that’s when another nightmare started.

Day 1:

8:04am: ticket submitted

8:18am: asking which backup to restore, April 7 or April 9.

8:21am: I informed them to use April 9’s backup

9:31am: I informed them that the database also needs to be restored.

10:29am: asking how long it takes.

12:55pm: asking again.

5:08pm: got response back informing me that they have queued the restoration of data and they will update me once it’s finished.

6:02pm: got another response telling me that they are facing some issues restoring the backups and they are currently trying to troubleshoot the issues.

No communication from them for the rest of the day.

Day 2:

6:21am: response saying that sorry for the inconvenience caused…"Unfortunately the restoration process was interrupted due to some network problems. I have re-initiated the process now, You will be updated once it is completed. Mean while your patience is greatly appreciated.".

11:27am: after another 5 hours waiting with no response. I asked them again what the status was.

1:45pm: got response from their Technical Operation Officer telling me that the issue is still being looked into by a lead admin, and they are working on it actively.

No matter how active they were or are, that’s the last words I heard from the so-called tech support.

With no hope restoring the site from the latest backup, we started our manual process and managed to partially bring the site live around 5:00pm on Day 2 of the incident. Because we restored it on another web server we need to update the DNS to reflect the change. Because DNS changes take time to propagate, some of users out there may still not be able to connect to us.

It’s a hard hit and we’ve learned the lessons a tough way. The hardest lesson we learn is not to have our own backups and we ensure we will do that by our own from now on.

Sorry to those who came to our site hoping to get useful information to solve their problems but only found a 500 error page. Thanks to those who didn’t stop and came back.

Last words to you, the hacker who brought us down. You have won the battle and got rewarded not seeing us being online fighting for the "hacker" title for the past two days. So please leave us alone from now on. After all, we are the "hackers" with quotation marks that only help people.

5 COMMENTS

  1. Pretty embarrassing, wouldn’t you say? Especially given the name of your site.

    Sounds like you’re running with insecure directory permissions, outdated software with open holes, or a combination of the two? Either way, you should learn how to secure your site. Backups are a must. I back up my own site every single day, which is entirely automated. Yes, I check it periodically to make sure the backups occur as scheduled. I even test backups with a sandbox VM to be sure I can actually restore my site if needed.

    Sorry to hear about your were hacked, but this is indeed a wake up call.

    Need help? Feel free to email me and I can give you some pointers, depending on what OS environment your site runs on.

    • Totally. Very embarrassing, and frustrating too.

      You are absolutely right. But unless we move to the dedicated or VPS plan we don’t have the rights to put our hands on our site to secure them. Considering the size of the site we have grown, it’s time to think a bit differently now. We might just move the site over to WordPress.com with a premium package that allows us to use the domain and our own theme.

      Thanks for coming back, Braden. What’s your website anyway?

  2. This is a bummer. Not familiar with hardening a site and its pribaly pretty complex. However hopefully you only lost the delta between the known good backup and the hacked outtage.

    Anyway good luck with the recovery.

  3. Hi, today i realized that happend same for me and for my surprise i am hosted in arvixe too!!, i think is too much of a coincidence, i find the id that was injected to you 0836887287587273″; and in other sites a new one 2485962236568914, i will complain on arvixe too, what was your way to finally overcome the problem?. Thank you

    • Sorry to hear that, John. We ended up having to move to another hosting plan, and moved again to the current hosting company about a few months ago. We finally feel settled here. 🙂

LEAVE A REPLY

Please enter your comment!
Please enter your name here