I almost got hacked

I run a number of websites, and I mostly used WordPress. It is fast and very easy to use and there are a ton of plugins available to enhance your site. One plugin I always install (and believe should be a part of WordPress core) is Better WP Security.

Several times, I have benefited from using the plugin. Today, once more, I received a benefit of using this plugin. There is a massive attack on wordpress sites now and every webmaster using this blogging tools needs to step up their games, especially in the concerns of security.

I suddenly noticed a spike in my unread email count – from 4 to 85 within a minute and I realised that one of my sites was under attack again.

I checked my email and I saw this:

wordpress-alaert01

These are the alert emails sent by Better WP Security when it fends off an attack. Lagos Scholarship board website was under attack. This wasnt a DOS (Denial of Service), this was a scripted attack from a single computer. Probably a script kiddie using automated tools. An example of one of the emails is shown below:

wordpress-alaert02

The script attempts to use several SQL injection variants to gain access to the site. Lucky for me, Better WP Security was on hand to fend them off. The first time I noticed attacks of this nature, I could 76 different trials, now the number has risen to over 180. Maybe one day, one of them will succeed. Maybe not. Hopefully, not! But we wait and see.

Whenever, I notice these emails, I open up the site immediately and keep checking to know if any attack is successful. I go through my file permissions, and my core files. I check for changes. Still, I am safe, for now.

What happened to theNetNG?

thenetng

A couple of days back, I saw an article about theNetNG, google it here.

Yesterday, our primary domain www.thenetng.com was compromised by internet hackers, who criminally gained access to our servers and illegally took possession of our identity.
We are convinced this is a calculated attack by detractors to unsettle and distract us, knowing our third anniversary (April 26) is just around the corner, as well as the inaugural Nigerian Entertainment Conference holding next Friday

This incident occurred in the early morning of Thursday April 18, and the hijackers immediately followed up with an email, announcing their operation and demanding $1,200 ransom to reclaim our property. They have since sent other emails, and made fresh requests, which we are reviewing with our lawyers, registrars and IT team.

It is the first time since we registered the domain in 2009, that such security breach would occur. And even though we considered our readers, advertisers and partners, our management took a firm decision not to engage with the criminals.

After careful considerations, we decided yesterday, that we will not be negotiating with the hijackers, that we will not bow to these cheap internet terrorists. And we will definitely not be paying the requested ransom money ($900 as at their last email).

As a web developer (and hacker of some sorts), this information presented a scenario that a typical Nigerian would describe as having a “k-leg”. I decided to review and see if I could figure out what happened.

First, a hacker can not just take over your domain. Hosting files, yes, domain no. I am not saying it isnt possible, but it isnt common. The only way you can lose your domain in this kind of attack (if that is your lingo of preference) is if you do not renew it. I checked the whois information and the domain history.

The domain was registered in September 14, 2009, which means it expires (should be renewed) September 14 every year. The article made a reference to April 2013. The last update date was May 3 2013. That is a six month difference between the supposed last expiration date and the “hijack” date. Domains usually ave a 90 days period between their expiration and availability to the general populace. Source: http://whois.ws/whois/thenetng.com

The domain history shows the previous and current registrars of the domain. http://whois.ws/domain-history/thenetng.com. It was previously managed by AntiGravity. My suspicion is that there was a fallout between theNetNG and AntiGravity, leading to the non-renewal of the domain. The domain was promptly hijacked.

A fallout (likely), a loss of the domain by AntiGravity? (I don’t think so). Checking the screenshot history of the site using the Wayback Machine showed that after 2009, AntiGravity was no longer the designer/developer of the website. It had been transferred to  Unstoppables International.

Site by AntiGravity: http://web.archive.org/web/20100619051112/http://www.thenetng.com/

The site by Unstoppables: http://web.archive.org/web/20130402195125/http://thenetng.com/

thenetng

 

AntiGravity uses 1&1, Unstoppables uses GoDaddy

Was there an issue during domain transfer? Was the domain not renewed by Unstoppables? Did AntiGravity still have control of the domain? We really cant say.

The $1200 value requested for is a standard amount charged by domain squatters. It isnt a ransom money, it is the price you pay for negligence.

Advice: if you have a valuable domain name, register it for the maximum number of years allowed, 10 years and have your mind at rest. Oh, registrar lock is a nice option too.