South African websites hit by hackers
Hundreds of South African websites were hit by hackers on Wednesday 12 June 2013. The hackers used both CMS and kernel security vulnerabilities to deface these websites.
According to the Zone-H website, hundreds of South African websites (.co.za domains) were defaced by the hacker, or hacking group, known as “SA3D Hack3D”.
A domain name system (DNS) lookup of the hacked domains revealed that a large number of the hacked websites are hosted by Gridhost.
Gridhost explained that a kernel vulnerability and an outdated WordPress site from one of their hosting clients made it possible for the hackers to deface websites hosted on this server.
Gridhost said that the hackers users the vulnerable WordPress site to upload and execute PHP scripts, taking advantage of a Linux kernel security issue.
The hackers replaced the index.php file from websites hosted on the shared server with their own index file which displayed the message “SSH Secure [root # SA3D ~. Hacked By SA3D Hack3D. Kurdish hackers ./Rooted.”
Gridhost became aware of the problem at around 21:00 on Wednesday 12 June, and immediately addressed the issue by patching the kernels on all their servers and closing the security holes exploited by the hackers. This process was completed before midnight.
After the security problems were addressed, the host started to restore the affected websites by replacing the altered files with the original files from backups. This process was almost completed by 11:00 on Thursday 13 June.
Gridhost added that only one shared hosting server was affected by the security breach, and that no client or billing information was ever in danger. That sensitive information is hosted in separate secure servers.
More on security and hacking
Hacking, cyber-crime overshadows summit between US and China
Mangaung website hacked, serving malware from Jamaica