FA+
Shop
Server got Pwned, sites are gone
6 years ago
"Press F to Pay respects"
Q: What happened?
A: MySQL database got hacked, all databases got wiped, got left with a ransom note (bottom is secondary server on how its supposed to look like) to pay 0.2 BTC to get the dbs back. Wikimedia and Wordpress sites are dead. Direct links still function. Perforce Helix server is also dead. All project file versioning is lost, and only way to go to older version of a file is through Veeam backup recovery from my NAS (which has a degraded RAID for a month now whoops).
Q: When did it happen?
A: 18th of April 2019, 13:16 UTC. I was having a lunch with coworkers when it happened.
Q: Any backups?
A: NOPE.
Q: What sites got affected
A: blog.heykidwannayiff.com, wowg.ovh, daisypayne.heykidwannayiff.com. Possibly others too. All content on those sites were lost.
Q: How did that happen?
A: Possibly a zero day vulnerability in ISPConfig management module or Wordpress CMS. The server was updated every week via yum-cron, ClamAV scans were ran weekly, Wordpress sites were automatically updated and patched via an update plugin and was hardened as best as possible.
Q: Don't you run monitoring software to prevent these kind of stuff?
A: Didn't get notified for any /etc/passwd changes, successful logins or rkhunter catching anything or any rootkits.
Q: What happens now?
A: We go with the nuclear option. New server ordered and waiting for it to be deployed, then the migration process can begin.
Q: Will you still use Wordpress?
A: Fuck anything PHP related honestly, so probably not.
Q: "Where the pronz @??"
A: Lost my porn making mojo. Also recently converted the default WoW rig to 3DS Max's biped. So, probably soon? Idk. No idea.
Q: What happened?
A: MySQL database got hacked, all databases got wiped, got left with a ransom note (bottom is secondary server on how its supposed to look like) to pay 0.2 BTC to get the dbs back. Wikimedia and Wordpress sites are dead. Direct links still function. Perforce Helix server is also dead. All project file versioning is lost, and only way to go to older version of a file is through Veeam backup recovery from my NAS (which has a degraded RAID for a month now whoops).
Q: When did it happen?
A: 18th of April 2019, 13:16 UTC. I was having a lunch with coworkers when it happened.
Q: Any backups?
A: NOPE.
Q: What sites got affected
A: blog.heykidwannayiff.com, wowg.ovh, daisypayne.heykidwannayiff.com. Possibly others too. All content on those sites were lost.
Q: How did that happen?
A: Possibly a zero day vulnerability in ISPConfig management module or Wordpress CMS. The server was updated every week via yum-cron, ClamAV scans were ran weekly, Wordpress sites were automatically updated and patched via an update plugin and was hardened as best as possible.
Q: Don't you run monitoring software to prevent these kind of stuff?
A: Didn't get notified for any /etc/passwd changes, successful logins or rkhunter catching anything or any rootkits.
Q: What happens now?
A: We go with the nuclear option. New server ordered and waiting for it to be deployed, then the migration process can begin.
Q: Will you still use Wordpress?
A: Fuck anything PHP related honestly, so probably not.
Q: "Where the pronz @??"
A: Lost my porn making mojo. Also recently converted the default WoW rig to 3DS Max's biped. So, probably soon? Idk. No idea.
Saphra20
~saphra20
Rip got to love them hackers making people live miserable. Hopefully it isent too painful to get everything back up and running. Wish you the best.
