Breaking: blog which exposed the Hamdania/Haditha incident is hacked

http://euphoricreality.com/ | 04/16/2008 | RaceBannon

[RaceBannon]

The site of Freeper EUPHORIADEV was hacked. She has lost over 2 years worth of data.

Euphoriadev was covering the Haditha and Hamdania incident extensively

she has lost over 2 years worth of data

we do NOT believe it is the people who are claiming the hack

[RaceBannon]

The site of Freeper EUPHORIADEV was hacked. She has lost over 2 years worth of data.

Euphoriadev was covering the Haditha and Hamdania incident extensively

she has lost over 2 years worth of data

we do NOT believe it is the people who are claiming the hack

[RaceBannon]

We do NOT believe it is the people who are claiming to have done it

[Carling]

I assume you have everything backed up in a secure hard drive?

[woofie]

no off site backup?

[Grizzled Bear]

Damn! Does she have any of her data saved to a back up system? How much of her data was posted here?

[stravinskyrules]

No off site backup or simple hardware backup?

If not, no soup for you.

[Cicero]

I was also hoping there’s a backup. Also, if not, if any freepers might have any of it stored on their computers?

[KoRn]

"she has lost over 2 years worth of data"

She never considered a backup?

[RaceBannon]

No, due to outside circumstances, the backups were not done for the last 2 months

and the backups that WERE done are hacked and destroyed

[rockinqsranch]

So who’s claiming to have done it, and if they didn’t really do it, why do you think who you think is responsible is responsible? This is terrible news.

[RaceBannon]

Any WORDPRESS assistance is appreciated

[eXe]

OK couple of things..

First off judging by the menus and the way the site was hacked.. this simply looks like an SQL injection hack. I’m assuming that site is run off wordpress or some other blog software. Its MIGHT not be a total loss. Get someone who knows SQL and let them look at your database.

Second.. I run a hosting company.. Our colo facility backs up our data nightly.. so if I were to be hacked, while costly I could get all my stuff back.. See if the site host that is hosting the site has a similar backup.

Let me know if I can help ya.. I’m no SQL guru but I might be able to give you some pointers.

[RaceBannon]

Your help is appreciated, please stand by! :)

[eXe]

K Ill be up for a little bit longer.. Ill look at the site and see if I can figure anything out from just looking at it.

[mojo114]

Perhaps one of our wizards on FReeRepublic will be able to help and we have some fine ones.Nothing on computers is really lost. Let’s try to to contact some of them tomorrow. Please don’t worry too much someone will come up with something.

[It Aint Easy]

If you goto google and search the domain name with omitted results, you should be able to pull up the cached pages. I see there is quite a bit of cached text.

[perfect stranger]

http://web.archive.org/web/*/http://euphoricreality.com/

If it helps.

[Chameleon]

Keep me informed - I know a thing or two about Wordpress and will help however I can...

[HAL9000]

Sorry to hear about this.

It looks like the site is hosted at a server farm that is running an old version of Apache web server with FrontPage extensions. Not advisible, in my opinion.

[It Aint Easy]

Erm, looks like all the posts are actually there on the site still, they just included a post and their pic and text to it.

The database should be fine if a backup is made likely.

You might be able to delete everything, format the site, and re-upload the database (with their post removed) and it should be back to normal possibly.

[eXe]

Yeah if this is an SQL injection hack (Which I suspect) any any posts are appearing as deleted.. trust me.. they are in there.

I had a few older PHPNuke sites hit with this till I locked them down and good.

[euphoriadev]

I had nightly backups on two servers. All are gone.

I had offsite backups. They are gone.

They got in all the way to the cpanel and deleted databases under two domains. I am currently working to try and get back into the site enough to fix it.

And no. I don’t think it was Islamics. Here’s a list of the recent hits on my site:

Oceanside California United States
gate23-sandiego.nmci.usmc.mil (138.162.140.53)

Oceanside California United States
gate25-sandiego.nmci.usmc.mil (138.162.140.55)

Halifax Nova Scotia Canada
iusr5.gov.ns.ca

Washington District Of Columbia United States
weppsb02.northropgrumman.com (155.104.37.18)

Washington District Of Columbia United States
70.106.14.174

Dhahran Ash Sharqiyah Saudi Arabia
166.87.170.50

Amman Jordan
86.108.92.154

Colorado Springs Colorado United States
fwcluster.mda.mil (140.32.120.188)

Halethorpe Maryland United States
firewall.arinc.com (144.243.4.2)

Montgomery Alabama United States
proxy.maxwell.af.mil (132.60.240.80)

Springfield Missouri United States
unassigned.fema.gov (71.252.64.50) FEMA.GOV

Gaithersburg Maryland United States
roanoke.ncsl.nist.gov (129.6.101.38) NIST

Gaithersburg Maryland United States
rhine.ncsl.nist.gov (129.6.101.11) NIST

Also entries from guildassociates.com. GO to that site.

Anyone who has ANY of my old material on the Pendleton 8, please email me asap. kit.lange@gmail.com

Thanks so much.

[Chameleon]

Agreed - looks like the site data is still there...Seems almost like they changed the header.php and index.php files in the theme (which should be in /wp-content/themes/yourtheme/.

[euphoriadev]

Actually, they deleted exactly two years’ worth of posts. Nothing more.

Which is interesting, because two years ago this month is when I started writing about the Pendleton 8.

The user database is gone as well, along with categories, tags, and anything else even remotely containing anything about the Pendleton 8.

And for those saying “didn’t she think of a backup?”...of course I did. This isn’t my first rodeo, ya know. ;) They GOT the backups. I have nightly ones done. They’re all gone, as I mentioned.

[Kirkwood]

Try the Internet Wayback machine.

http://www.archive.org/web/web.php

[eXe]

I did some digging and see that you are hosted at ThePlanet.. I know for a fact that they do nightly backup of their servers.. so while its going to cost a bit.. any way you can call them and get it restored back to say.. last night? At least the site would be back.

As to the hack.. its a pretty common problem with wordpress.. seems there is a hack that exploits the input validation error in the wp-login.php file when processing a specially crafted variable, can be used to manipulate the “Forgotten Password” option.

Can you still log into the back end of wordpress or did they change your password as well?

I hope you can get the site up and running again.. I cant stand hackers no matter who they are.

[It Aint Easy]

Is this what you are looking for? Cached Cached Cached etc...

[eXe]

Ahh ok so they got offsite backups as well.. Damn.. that stinks.

[euphoriadev]

I was finally able to get into the backend of the cpanel and from there I just altered the user tables to get back in to WP. Now I can look at the extent of the damage...they freaking GUTTED my site. Pieces of @&*^@#. ANYWAY.

It’ll take a few days, but I’m sure I can get the site running again at least.

Can someone please take screenshots of it as is before I start cleaning the mess? I have no capability on this computer of doing that.

[eXe]

Gimme a sec.. Ill take a screenshot of the main page and post it on one of my servers for you to download.

[Buddy B]

Registrant:
Domains by Proxy, Inc. DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc.
(http://www.godaddy.com)
Domain Name: EUPHORICREALITY.COM
Created on: 07-Jun-05
Expires on: 07-Jun-09
Last Updated on: 06-Apr-08

Administrative Contact:
Private, Registration EUPHORICREALITY.COM@domainsbyproxy.com
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599

Technical Contact:
Private, Registration EUPHORICREALITY.COM@domainsbyproxy.com Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599

Domain servers in listed order:
NS183.HOSTGATOR.COM
NS184.HOSTGATOR.COM

----------------------------

EUPHORICREALITY.COM
Hosted at HOSTGATOR WEB HOSTING

[euphoriadev]

I’m online with the hosting company now. They are quite embarrassed. They’re also about to lose a lot of business, as all the sites I admin for are hosted there.

[eXe]

Ok images of the site (I needed to do a few.. heh it was a long page) are located on my west coast hosting box at

http://www.exedor.net/pics/euphoriadev

Is that good enough.. or do ya need more?

[Chameleon]

Hostgator is pretty good in my experience...Don’t be too hasty....But then, LiquidWeb has been the best I’ve used.

I would be very interested in knowing more about the attack, and the best ways to avoid such attacks.

[HAL9000]

Here is a description of a PHP injection attack with PodPress:

http://www.yugatech.com/blog/the-internet/hack-attack-in-progress/

The script example shows how the exploit tries several possible methods of acquiring the web server’s user ID.

[Buddy B]

Your HTML is on the server but the HTML is changed slightly at top of the page.

Here is one page...take a look...

The Halls’ Rebuttal- Updated

[The Spirit Of Allegiance]

Ping for any assistance and cached info ASAP.

A wing and a prayer for our heroes and those defending them.

[euphoriadev]

Perfect. You’re a doll.

[TBP]

BTTT.

[The Spirit Of Allegiance]

ping

[weegee]

As soon as you host it online, you have uploaded it “offsite” from your home. The provider has no backups of their network?

The provider has no responsibility for their network against hacked attacks?

[Fichori]

euphoriadev:

I noticed those screen shots show what appears to be Arabic.


A quick google search turned up this
(below is a firebug HTML copy/paste from the above link)

black.scorpion

Registered user # 13942
Your web site: http://www.13x17.org
Your e-mail address: amirianvahid@yahoo.com
Yahoo! Messenger ID: amirianvahid
MSN Messenger: vahid.amirian@hotmail.com
Location: IRAN

Signature:
:: Black Scorpion ::

User's current status: Off-line.

[ Send private message black.scorpion ]

Last 10 comments by black.scorpion:

Last 10 news submissions by black.scorpion:

The website of the 'black.scorpion' mentioned on hackinthebox.org seems to be entirely in Arabic.

So there are 4 major possibilities:

The person responsible is this 'black.scorpion' person
The person responsible is copying this 'black.scorpion' person
The person responsible is framing this 'black.scorpion' person
The 'black.scorpion' person is totally unrelated to the person who hacked your site.


So the question is, who would have a motive?

[freema]

[freema]

http://euphoricreality.com/

[freema]

ping

[freema]

Innocent until proven guilty; The Pendleton 8: We are not going down without a fight

[euphoriadev]

UPDATE: They did it again. I had the site half back to normal (although missing two years’ of posts), and they freaking did it again.

On my way to the day job now...no time to fix. GUess it’s gotta stay this way for a bit.

[RaceBannon]

TO ALL:

THIS IS A LIST FROM EUPHORIADEV AS TO WHAT WAS DONE AND WHO RECENTLY VISITEDD HER SITE. NOTE ALL THE MILITARY SITES THAT VISITED HER SITE RECENTLY

I had nightly backups on two servers. All are gone.

I had offsite backups. They are gone.

They got in all the way to the cpanel and deleted databases under two domains. I am currently working to try and get back into the site enough to fix it.

And no. I don’t think it was Islamics. Here’s a list of the recent hits on my site:

Oceanside California United States
gate23-sandiego.nmci.usmc.mil (138.162.140.53)

Oceanside California United States
gate25-sandiego.nmci.usmc.mil (138.162.140.55)

Halifax Nova Scotia Canada
iusr5.gov.ns.ca

Washington District Of Columbia United States
weppsb02.northropgrumman.com (155.104.37.18)

Washington District Of Columbia United States
70.106.14.174

Dhahran Ash Sharqiyah Saudi Arabia
166.87.170.50

Amman Jordan
86.108.92.154

Colorado Springs Colorado United States
fwcluster.mda.mil (140.32.120.188)

Halethorpe Maryland United States
firewall.arinc.com (144.243.4.2)

Montgomery Alabama United States
proxy.maxwell.af.mil (132.60.240.80)

Springfield Missouri United States
unassigned.fema.gov (71.252.64.50) FEMA.GOV

Gaithersburg Maryland United States
roanoke.ncsl.nist.gov (129.6.101.38) NIST

Gaithersburg Maryland United States
rhine.ncsl.nist.gov (129.6.101.11) NIST

Also entries from guildassociates.com. GO to that site.

Anyone who has ANY of my old material on the Pendleton 8, please email me asap. kit.lange@gmail.com

Thanks so much.

[Tribune7]

How did they access your offsite backups?

[tsmith130]

UPDATE: They did it again. I had the site half back to normal (although missing two years’ of posts), and they freaking did it again.

Anyway to tell who the last visit was from this time? If so, does it match any of the last visits from your previous list?