WebAfrica Hacked

J

James

Expert Member
Joined
May 26, 2004
Messages
2,617
Reaction score
3
If any one has any sites hosted with WebAfrica have a quick check up. Most of my sites where defaced using some form of ASP exploit. No data was damaged and I am promised no data was accessed.

The complete list can be fond here
http://www.zone-h.org/en/defacements/filter/filter_defacer=eno7

What i find most disturbing is the fact that i phoned to request the FTP logs to see if how I was hacked. They said phone Monday for the logs. Only when I said I had been hacked they told me that the entire server was hacked not just me and I won't need the FTP logs. Surely your(WebAfrica's) clients should be told about these sorts of things. I am lucky I checked and so could correct all the sites and remove the de-facements. It has not even made the notice board on their site yet, yet a Telkom notice was added :(
 
Last edited:
Indeed. There are lots of websites affected.

Surely WebAfrica can restore most of the websites with yesterdays backup.
 
We are aware of the incident that occurred on one of our servers the other day and are still currently investigating in an attempt to determine what the exact cause of the defacement was. Unfortunately sometimes it is almost impossible to determine how a rogue script actually got placed onto a machine (as our machines are firewalled off the upload generally occurs to someone's website on an ftp account with a very weak password, such as 'guest' or 'password'). We have improved security drastically on our machines in the past, but unfortunately one has to attempt to balance security with usability (as we could completely block off our boxes, but then this would cause many currently running sites hosted on that machine to break).

We have already restored numerous websites from backups (I would hazard a guess and say 90% of those defaced have currently been restored), and as indicated are investigating the situation, and are continuing to determine which sites were defaced and restoring them.

Once we have determined what exactly happened, we will be able to better indicate this to our clients.

I'm sure that we will have something to tell those affected shortly, and will have measures in place to prevent this in the future.
 
"Once we have determined what exactly happened, we will be able to better indicate this to our clients."

TRANSLATION: "Duhhh ummm - we have so little business training, and even less customer PR service training, that we haven't bothered to immediately alert our customers within minutes - and are using the fact that we gee 'dunno' how we got hacked - as an excuse for not saying anything at all, until we supposedly know. (As if this excuses or justifies the initial silence on the matter.)
We also figured using the big word 'indicate' was a good choice of words - because it exactly reflects our casual attitude of idly pointing in the direction of a problem we're having, without any real instant leaping into action to even bother alerting our customers, who might suffer problems because of the hack.
Why? Because we don't really care about giving the impression that we care. (We can 'sort of' set up servers, and 'sort of' handle the invoicing, but that's as far as our business and PR training goes.)
We don't mind - because we know the customers are even slower than us."

"I'm sure that we will have something to tell those affected shortly, and will have measures in place to prevent this in the future."

TRANSLATION:
"Speaking as the guy who wrote this statement, I sort of hope that 'we' (the company) will have something useful to tell people - and that we 'sort of' hope that we can prevent future hacks and problems. Neither I nor the Company are promising anything at all by saying this, but we 'sort of' hope that you THINK we've just promised something."
 
Last edited:
Hehe Lonegunman, interesting interpretation, it's wrong - as per usual, but interesting. I'll give you this though, you're definitely living up to your conspiracy theorist name ;).

We at Web Africa take hacking incidents very seriously, but as indicated, when something like this occurs it is frequently very difficult to determine what the cause may be. It is unfortunately a shared environment, and all you need is for one user to have a weak password or some exploitable code on their website and a malicious hacker can proceed to cause problems for everyone else (This is one of the reasons why Zone-H only "rewards" hacks that are on unique IP's, it's a lot easier to "hack" numerous domains on the same box, it takes a fair deal more time and effort to hack more than one box).

We are currently trying to determine the problem, but one must understand such things take time, there are numerous logs one has to look through to find maybe a single indication of something erroneous (such as a FTP upload of a strange file occurring sometime prior to the incident... and it could even be days before the actual attack occurred).

It's a standard practice in any hosting business to determine the scope of any hack and determine how best to go forward with contacting ones clients. If only a small portion of sites on one box were hacked (as was the case), there is no need to alarm the 1000's of other clients who are hosting on other boxes (or even on that box) who were not. As such we will remain in contact with those clients who were hacked and they are able to query the progress of the investigation and ask anything about what might have happened at any time. They can get us via phone, via e-mail, the standard support routes, etc.

The majority of affected websites have been restored from backups as indicated and they are back up and running as before.
 
LoneGunman said:
"Once we have determined what exactly happened, we will be able to better indicate this to our clients."

TRANSLATION: "Duhhh ummm - we have so little business training, and even less customer PR service training, that we haven't bothered to immediately alert our customers within minutes - and are using the fact that we gee 'dunno' how we got hacked - as an excuse for not saying anything at all, until we supposedly know. (As if this excuses or justifies the initial silence on the matter.)
We also figured using the big word 'indicate' was a good choice of words - because it exactly reflects our casual attitude of idly pointing in the direction of a problem we're having, without any real instant leaping into action to even bother alerting our customers, who might suffer problems because of the hack.
Why? Because we don't really care about giving the impression that we care. (We can 'sort of' set up servers, and 'sort of' handle the invoicing, but that's as far as our business and PR training goes.)
We don't mind - because we know the customers are even slower than us."

"I'm sure that we will have something to tell those affected shortly, and will have measures in place to prevent this in the future."

TRANSLATION:
"Speaking as the guy who wrote this statement, I sort of hope that 'we' (the company) will have something useful to tell people - and that we 'sort of' hope that we can prevent future hacks and problems. Neither I nor the Company are promising anything at all by saying this, but we 'sort of' hope that you THINK we've just promised something."
Click to expand...


Very interesting indeed .. the question here is .. Are you totally wrong?

Why were the clents not informed when the problem was found? Why wait for a leak into the forum? Bad, bad, decision WA.
 
Have you guys donated anything to these poor kids in the hacked site video ? I must say the video bit was quite well done but they could have jacked up there text a bit. These hackers have no artistic flare.
 
warichard - thanks for the oddly snide and patronising "interesting interpretation, it's wrong - as per usual.."
Thats rather a typical South African business response. Your post was mostly PR spin saying very little and not addressing the central issue much - unless you believe that saying :

"It's a standard practice in any hosting business to determine the scope of any hack and determine how best to go forward with contacting ones clients."

Is this your roundabout way of saying that you needed time to work out 'how best to contact affected clients in the event of an emergency', if so - it's pretty nonsensical. (How to Contact Hacked Clients: You pick up the phone or send an email specifically to those who were hacked.)

Did you do this? Did you do this within minutes or hours? Or did you only respond and begin contacting people, once the news emerged that a hack had occurred? I'm just curious, as are your customers.

Your systems were left vulnerable, and your IT people left struggling to catch up and determine the entry point(s) and secure them, and there seemed to be a further failure to make contact immediately with the site owners who were hacked.

This isn't 'conspiracy theory' however you might try and make it seem so. Its a detailing of apparent 'fact'.

And by the way, if you want to succeed in global business, don't try being patronising, or sidestep issues by making funny comments about peoples online nicknames - when they're raising justifiable questions that should be asked of any business purporting to offer a slick service.

Rather clearly address the issues raised - and acknowledge or refute the allegations.

You're part of a company existing on the goodwill of customers giving you money for provided services - as well as the guarantee of rapid responses and communication re situations which infringe on those services.
(Something which it seems, you failed to do.)
Let's say that again, so it sinks in: "Something which it seems, you failed to do."
But you're not willing to simply admit it.

Is it too much to expect direct answers to questions - without PR spinning and raising superfluous non-issues, presumably in hopes that these non-issues will divert customers from the central fact that you appear to have failed in some key steps that an online service should provide, as a matter of course?
 
Last edited:
Seems more like an exploit than a successful hack.

It's the same as lots of people living in a big house, and one of them leaves the window in their room open at night and someone from outside gains access into the house that way. Doesn't matter how tightly everyone else's window is closed, its the one open window that matters.

Good ol' ASP eh.....
 
LG is right. We could have handled it quicker and better definitely.

From our customer forum FYI:

A number of sites on the Win02 international WWW server were defaced over the weekend.

We have restored the sites and apologise for the slow response. While all the servers are uncompromised and patched at all levels, each website runs with its own users and permissions.

However sometimes the most obvious things are overlooked. The source of this defacement was a particular domain's website had a weak upload script that was used to launch an .aspx scripting vulnerability.

While it is a constant challege to balance scripting features and security we have put extra measures (stricter enumeration permissions on all users) in place to limit any such attacks in future to an isolated website.
Click to expand...
 
ROFL ..all on oversea box...

Date/time: 2006/01/21
Defacer: eno7
Domains: To Many to list
IP address: 70.84.180.106
System: Win 2003
Web server: IIS/6.0
Attack method:
Extra information: mass defacement
 
Last edited:
magneto said:
ROFL ..all on oversea box...

Date/time: 2006/01/21
Defacer: eno7
Domains: To Many to list
IP address: 70.84.180.106
System: Win 2003
Web server: IIS/6.0
Attack method:
Extra information: mass defacement
Click to expand...


THats not there problem...its telkoms
 
ouch. I had a look at how many sites got nailed. ouch is all I can say. web africa are good lil' guys, its a shame this happened.
 
enx said:
ouch. I had a look at how many sites got nailed. ouch is all I can say. web africa are good lil' guys, its a shame this happened.
Click to expand...

If they are clever enough they will catch the w@nkers, in the end they eventually always get caught.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X