Posted on 04/16/2008 8:38:48 PM PDT by RaceBannon
The site of Freeper EUPHORIADEV was hacked. She has lost over 2 years worth of data.
Euphoriadev was covering the Haditha and Hamdania incident extensively
she has lost over 2 years worth of data
we do NOT believe it is the people who are claiming the hack
Yeah if this is an SQL injection hack (Which I suspect) any any posts are appearing as deleted.. trust me.. they are in there.
I had a few older PHPNuke sites hit with this till I locked them down and good.
I had nightly backups on two servers. All are gone.
I had offsite backups. They are gone.
They got in all the way to the cpanel and deleted databases under two domains. I am currently working to try and get back into the site enough to fix it.
And no. I don’t think it was Islamics. Here’s a list of the recent hits on my site:
Oceanside California United States
gate23-sandiego.nmci.usmc.mil (138.162.140.53)
Oceanside California United States
gate25-sandiego.nmci.usmc.mil (138.162.140.55)
Halifax Nova Scotia Canada
iusr5.gov.ns.ca
Washington District Of Columbia United States
weppsb02.northropgrumman.com (155.104.37.18)
Washington District Of Columbia United States
70.106.14.174
Dhahran Ash Sharqiyah Saudi Arabia
166.87.170.50
Amman Jordan
86.108.92.154
Colorado Springs Colorado United States
fwcluster.mda.mil (140.32.120.188)
Halethorpe Maryland United States
firewall.arinc.com (144.243.4.2)
Montgomery Alabama United States
proxy.maxwell.af.mil (132.60.240.80)
Springfield Missouri United States
unassigned.fema.gov (71.252.64.50) FEMA.GOV
Gaithersburg Maryland United States
roanoke.ncsl.nist.gov (129.6.101.38) NIST
Gaithersburg Maryland United States
rhine.ncsl.nist.gov (129.6.101.11) NIST
Also entries from guildassociates.com. GO to that site.
Anyone who has ANY of my old material on the Pendleton 8, please email me asap. kit.lange@gmail.com
Thanks so much.
Agreed - looks like the site data is still there...Seems almost like they changed the header.php and index.php files in the theme (which should be in /wp-content/themes/yourtheme/.
Actually, they deleted exactly two years’ worth of posts. Nothing more.
Which is interesting, because two years ago this month is when I started writing about the Pendleton 8.
The user database is gone as well, along with categories, tags, and anything else even remotely containing anything about the Pendleton 8.
And for those saying “didn’t she think of a backup?”...of course I did. This isn’t my first rodeo, ya know. ;) They GOT the backups. I have nightly ones done. They’re all gone, as I mentioned.
I did some digging and see that you are hosted at ThePlanet.. I know for a fact that they do nightly backup of their servers.. so while its going to cost a bit.. any way you can call them and get it restored back to say.. last night? At least the site would be back.
As to the hack.. its a pretty common problem with wordpress.. seems there is a hack that exploits the input validation error in the wp-login.php file when processing a specially crafted variable, can be used to manipulate the “Forgotten Password” option.
Can you still log into the back end of wordpress or did they change your password as well?
I hope you can get the site up and running again.. I cant stand hackers no matter who they are.
Ahh ok so they got offsite backups as well.. Damn.. that stinks.
I was finally able to get into the backend of the cpanel and from there I just altered the user tables to get back in to WP. Now I can look at the extent of the damage...they freaking GUTTED my site. Pieces of @&*^@#. ANYWAY.
It’ll take a few days, but I’m sure I can get the site running again at least.
Can someone please take screenshots of it as is before I start cleaning the mess? I have no capability on this computer of doing that.
Gimme a sec.. Ill take a screenshot of the main page and post it on one of my servers for you to download.
Registered through: GoDaddy.com, Inc.
(http://www.godaddy.com)
Domain Name: EUPHORICREALITY.COM
Created on: 07-Jun-05
Expires on: 07-Jun-09
Last Updated on: 06-Apr-08
Administrative Contact:
Private, Registration EUPHORICREALITY.COM@domainsbyproxy.com
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599
Technical Contact:
Private, Registration EUPHORICREALITY.COM@domainsbyproxy.com Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599
Domain servers in listed order:
NS183.HOSTGATOR.COM
NS184.HOSTGATOR.COM
----------------------------
EUPHORICREALITY.COM
Hosted at HOSTGATOR WEB HOSTING
I’m online with the hosting company now. They are quite embarrassed. They’re also about to lose a lot of business, as all the sites I admin for are hosted there.
http://www.exedor.net/pics/euphoriadev
Is that good enough.. or do ya need more?
Hostgator is pretty good in my experience...Don’t be too hasty....But then, LiquidWeb has been the best I’ve used.
I would be very interested in knowing more about the attack, and the best ways to avoid such attacks.
Here is a description of a PHP injection attack with PodPress:
http://www.yugatech.com/blog/the-internet/hack-attack-in-progress/
The script example shows how the exploit tries several possible methods of acquiring the web server’s user ID.
Here is one page...take a look...
Ping for any assistance and cached info ASAP.
A wing and a prayer for our heroes and those defending them.
Perfect. You’re a doll.
BTTT.
ping
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.