pwned?
Last night at 11.47 pm (local time, GMT +8 ) when I was about to call it a night, my email notifier was suddenly bleeping, alerting me of a new message arrival in my inbox. The brief message title reads "[blog@msaifuddin.com] Password Lost/Changed", and I was like "fuck! my worst nightmare has come!".
password lost/changed notification
I did not read the email content but went straight to my blog and see the latest visitor to my site.
I.n.d.o.n.e.s.i.a....ok. i know what's next. fuck.
ok..it reads I.n.d.o.n.e.s.i.a ...I can guess what will happen next...and I tried logging in..
FAIL!
OMG! I'm 100% correct! Full mark for me!!!!!! shhhhiiittttt!!!!!.......My account has been compromised. With no delay, I went straight to my hosting control panel and opened phpmyadmin and browse the wp_users table.
account details changed
Yeah. A fucker has changed my account details. I changed the email back, requested a new password and managed to take over. At the same time, I notify my hosting company about the incident. I've got a fast reply from them and they told me that several other sites in their server were having the same issues.
The fucking script kiddie.
After spending a few minutes on making some changes to my files & configuration, I decided to track the culprit and learn his methods in compromising my blog account. Although I'm very tired and sleepy, but I'm pissed. And the "pissed-feelings" were very strong in me that it swept away all the tired & sleepiness out of me.
1. Home directory
When I opened my blog earlier, I didn't notice any changes in the main directory/files because I went straight to my blog folder, but after a closer look from the file manager, I noticed that my index file with redirection to my blog folder has been changed and the main site has been defaced. lmao and fuck.
defacement template on index.php
pwned by a skiddie. lmao.
2. Motives
The motives of the defacement is as clear as the picture above. Hatred. Hatred towards Malaysia. And the victim is an "unknown/ordinary/whatthefuck/whyme" Malaysian citizen (me). I would call it a lame defacement. Fucking lame. The skiddie defaced a personal blog of an ordinary people like me. I mean, WHAT THE FUCK!..what can the skiddie prove by doing that to me? I'm not a personality/politician/fucking-anything-whatsoever that could get the entire country attention towards the skiddie so-called-hacker-manifesto. And I too, don't give a damn about your so-called-hacker-manifesto. So, it's fucking pointless! Besides, the stupid message only last about at least 5 minutes before it got deleted. lmao.
A further digging on these whole defacement motives brings me to an ongoing war between some of this two country's so-called-"hacking clan". For fuck's sake, both of you can continue attacking each other's ball and just leave other personal site alone. We're not interested in your pointless game. Get a life you fuckers (and learn to write proper English. You can't even spell the right words. "We Coming Uninvited". I fucking lmao).
3. Backdoor
shell
This is a norm. You enter. You plant. You leave. You enter back (maybe). Well, your backdoor is no more. Go fuck yourself.
4. Log trace
IP: 110.136.162.212 (Indonesia Jakarta Pt Telkom Indonesia) Port 80 open to a modem interface.
OS: Windows (Google Chrome)
Possible method (I've replicated this method and was successful): database enumeration from other shell in other account. Custom link creation through the stored key in database & email modification. Once new password is mailed, shell upload through theme option. but the skiddie was too stupid and alerted me. lmao. the skiddie even left behind his email tracks. stupid shit.
email trace:
source: mail.com
userid: 1.26904325
Dear skiddie.
I know you will be reading this when you found out that your shell is no more in my space.
My words for you, "Fuck you!".