Hacked by Hmei7

This hmei7 guys has been pretty much everywhere. Just Google the name and you’ll see he’s apparently Indonesian and recently it is claimed the he has hacked a large data centre resulting in the defacement of over 5000 sites.

The Amateur Radio Club site I help maintain has been done over by this guy and upon deep investigation I found index.old files in pretty much every directory, I also found randomly named PHP files containing large strings and missing closing tags which I presume was some kind of injection / shell exploit attempts and also his calling card file x.txt.

My friend who hosts the site for our club also had 3 other domains under his hosting which were also defaced / penetrated / violated.

The first time it happened it “appeared” as if the club site had been attacked by a group called wild clique and we didn’t really understand the nature of the attack so we fixed it up as best we could but
the site has since been attacked several times by various hacker groups and individuals.

Today, I’ve been with my friend and we’ve completely ripped out the club’s site and upon going through the files we’ve found no end of files that shouldn’t be present as I described at the start of this reply.

The site was so badly affected we couldn’t risk using any of it as such and so had to go through quite a complicated procedure of installing a clean but newer version of web software and slowly and systematically “merging” the content after sanitizing what we could.

I’m actually about half way through restoring the old data on the newer platform and now the penny has begun to drop on what’s happened.

My friend’s other sites under his hosting comprise of two joomla 2.5 sites, a custom HTML site and our club site formerly running Joomla 1.5.

I think this guy initially penetrated the club site with a shell script or some other injection / RFI and then went on to take over the rest of the domains under my friends account from there. Or at least Mr hmei7 opened the door for others to do it. We certainly found the same files on the other domains too and the only thing they all share in common is they are all under the one user hosting account.

Without waffling on needlessly, the point I am trying to make is, if this guy’s been at your site, I wouldn’t trust a SINGLE file or directory and I’d be looking at all my other sites closely too.

Just because your sites aren’t defaced or whatever doesn’t mean there isn’t something nasty sitting and waiting!

I suggest everyone wanting to secure their sites familiarise themselves with the following hacking techniques so as to understand how these attacks work and how to counter them in the future.

RFI (Remote File Inclusion)
LFI (Local File Inclusion)
SQL Injection
XSS (Cross Site Scripting)

It is also important to keep every aspect of your site’s up to date; from core to plugins! You should also make sure you follow all steps listed by the creators of any scripts or software you are using to keep them secured.

I’m only aware of this after the fact of course, but if this info can help others and prevent them from falling foul to this hmei7 and others then it was worth posting.

I should add that since we have been attacked, I have spent countless hours researching, reading about and trying out the attacks listed above and more besides and I am now better prepared to protect my sites now I know how some of these attacks work and have seen them in action with my own eyes.

I will admit that during my research I have actually been on Google and have dorked a few vulnerable sites and I’ve penetrated them using various freely available penetration techniques BUT I am not a malicious person and I have not and will not use any of the data I managed to exploit. I did it purely for educational purposes to see how it was done and if it could still be done on a live site and in most cases, there are PLENTY of sites vulnerable to these attacks still out there.

In my case, I have of course notified the sites I have penetrated and hopefully they will act on my information.

So take my advice folks – keep up to date with your software, keep up to date with your knowledge and if you suspect you’ve been hacked, don’t trust a single file – Check every file and folder under your account!

Peace and stay safe!