Another Crisis: Hacked by Triple Defacer.

Blogging and self hosting is such a pain at all the wrong places. It becomes worst if the Host offering vps is new or inexperienced. GIC Webworld appears to be such a host. But they will rank several notch above hosting.india.to about whom I shall soon write a review. Few months back we (me and few friends) had started a legal online magazine at LawAndJustice.Asia. Since day before yesterday at night, somebody broke into the servers of my host and uploaded a script. Infact this somebody is known or proclaimed (see screen shot.) They are turkhackteam.net.

Who are these people. Why they are what they are. Why violence is so important. The web is really a reflection of human mind.

This screen shot is generated from a script. Part of script is as under:

<!–DOCTYPE html>
<!– saved from url=(0026)http://lawandjustice.asia/ –>
<html lang=”en-US” prefix=”og: http://ogp.me/ns#”><head><meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″><title>Hacked By Triple Defacers</title>

var adfly_id = 5422646;
</script>

<script type=”text/javascript”>
var adfly_id = 5422646;
var adfly_advert = ‘int’;
var frequency_cap = 5;
var frequency_delay = 5;
var init_delay = 3;
var popunder = true;
</script>

Now the interesting part is to find location of this script. Where it is?

Searching “Hacked by Triple defacer” on Google reveals that numerous websites (some working fine) have these words in their header or somewhere including the above one but we and our host are not able to find it’s location.

The option they suggest is to re-install. But that is no solution. If there is a vulnerability, it must be addressed first. May be I should, not only re-install but also relocate it!

I am very much tempted to re-install the whole thing but they can do it again. Or may be the problem may be somewhere else because serving host is naïve and his suggestion is a mere speculation. Until they actually find the problem, it just an educated guess.

Surprising thing is that wp install is perfectly fine. Word fence detected the changes I had made in one file but except that there is nothing to detect. iTheme is the other security and it reported nothing.

Any help out there? Waiting for some good Samaritan.

There is one thing I did change. Anonymous ftp account is open by default. I do not know why? I have unchecked it and now doing a fresh install. Let us see, what happens.