May
14
How to restore a website hacked by Jamaycka
Filed Under Guides
Today’s digest is dedicated to all those who have been hacked by ‘Jamaycka’ with lessons of basic web maintenance as well. Zhongg.com was defaced on 12th May by a ‘Jamaycka’ who left this message behind:
Note very important :
Some People thinks I am from Jamaica.
I would like you to know that I am Not from Jamaica.There are some people feel jealous of me but I am not care
this name just my nickname
I’m HaCked your system
Many reports have surfaced since then about Jamaycka targeting Malaysian websites, a large number of them running Wordpress. Websites are probably still being defaced as you read this, the count of defaced websites by Jamaycka has surpassed 9000. Someone needs to put a stop to it. That person probably isn’t you or me. What we can do is try our best to get out of the way and keep our site up and running in the meantime.
This mini guide is divided into 3 parts
1) Cure - dedicated to restoring a website hacked by Jamaycka
2) Prevention - avoid future attacks
3) Backup - CPanel script to automate the backup routine
CURE
Jamaycka defaces websites by replacing index files and leaves it at that. So thankfully, not much damage is done as compared to the potential damages. Here’s how you can fix your website within minutes. You’ll still need a backup copy of the content in order to restore the website.
WORDPRESS
Replace with the backup copy, index files (both .php and .htm) found at:
{blog_folder}
{blog_folder}\wp-admin
{blog_folder}\wp-includes
{blog_folder}\wp_content
{blog_folder}\wp_content\themes
{blog_folder}\wp_content\themes\classic
{blog_folder}\wp_content\themes\default
{blog_folder}\wp_content\themes\{other_theme_folders}
{blog_folder}\wp_content\plugins\wp-table
OTHERS
1) Download the all the files in the ‘www’ folder to your computer
2) Find and replace all the index files, either
a) Search for ‘index.*’ files
or
b) Searching the files containing ‘document.write(unescape’
3) Note down the files location and replace them with the backup copy.
WITHOUT BACKUP
1) It is impossible to restore the site without backup. You’ll just have to cross your fingers and hope the your web host has the backup.
2) Meanwhile, put up a under maintenance message. You can overwrite the defaced page by uploading a index.htm file with your message to the root folder.
PREVENTION
After you restore your site, you’ll need to patch up the system to prevent further attacks. Though opinions vary about the hacking techniques used, here are a few ways to up your security a notch
1. Dont leave any folder or files with the chmod permission 777
2. Disable anonymous FTP.
3. Have mod_security on
4. Make sure you have the latest Linux kernel installed
5. More tips here
BACKUP
You can never ever truly defend against all attacks so having backups are a must. Normally web hosting providers backups your stuff occasionally though they are not obliged to do so according the terms and conditions. Fortunately, doing backups yourself isn’t that hard. Below a script to backup your files (ONLY WORKS IN CPANEL!)
1) Click ‘Cron jobs’
2) go to Advanced
3) paste the following scripts and set the backup frequency
Backup files from the public_html folder
tar -zcf backup.tgz ./public_html
Backup your database
date=`date -I` ; mysqldump -ce –user={DBUsername} –password={DBPassword} {DBDatabase} | gzip > /home/{Account}/dbBackup_$date.sql.gz
fill in the blanks with the database username, password, database name and your account name. There should NOT be any spaces between -p and the password.
Sending a backup of your database to your email (uncompressed)
mysqldump -ce –user={DBUsername} –password={DBPassword} {DBDatabase} | mail {email}
Sending a backup of your database to your email (compressed)
None that works for me. Might be worth a try though
http://abdussamad.com/archives/54-Using-a-cron-job-to-backup-your-MySQL-Database.html
http://drupal.org/node/140213
ps: remember to download the latest backup to your computer 
That’s it folks! If you have any additional information to help your fellow web brethren, do share
Tags: Backup, Guides, Hacking, Jamaycka, Security
Hi there! To have stuff like this delivered to you daily, just subscribe to our full feeds. It's easy to share this now with the world .
Response to “How to restore a website hacked by Jamaycka” ( 25 )
Please spend a moment to join the discussion or trackback from your siteFeatured Media
[…] by now. Zhongg, also a victim of the defaced, wrote a mini guide that mainly concentrated on how you can restore your hacked site, prevent future attacks and also backing up your […]
If you’ve check out some of the victim’s Wordpress site, are they mostly falls on version 2.1.3?
I doubt this has anything to do with wordpress. i think it has to do with our hosts. if you look properly at the defaced websites, he did mention that he used a root account, and some id numbers that start with 0. which i think meant, your host didn’t secure the server with a password for root.
Like CincauHangus mentioned, it is doubtful that this has to do with WordPress. Personally I had another Drupal site defaced as well.
As to how he hacked is anyone’s guess. Most seems to agree that Jamaycka gained root access via exploiting vulnerabilities then creating his own root account, rather than using a ‘un-passworded’ root.
This guy has been at it since last year. The only thing in common that I can see is that all the sites are hosted in Linux Servers
http://www.zone-h.org/componen.....,JaMaYcKa/
[Update] additional backup options for database.
It was the server host that was hacked. I hosted my site at Hive Hosting, a Malaysian company (hence many Malaysian sites hosted there).
Thanks for the security tips. I will sort out the stuff later on.
Cheers.
[…] This definitely another strike by another hacker! There were 400 websites had been hacked by the date 12 May, 2007. I urge you all to check whether if you are in the list. Hongkiat.com has a list of 400 hacked-websites. That’s pretty unfortunately if you fall into one of the namelist, contact to your webhosting company as soon as possible as they will normally have a backup for your website within 7 days or Zhonng wrote out a miniguide on how to restore a hacked website. […]
yeah, i did notice that too. windows server == secure?
Yep.My blog had been defaced. i think he try to sort out his skill to see the loopholes in linux based server. Now,who said the Linux handled security enough? he just try to show his power but actually he just hacked the server that maintained 400 malaysian website.
[…] head tip to Zhongg that post an article about how to restore a website hacked by jamaycka. So, if anyone here are one of the victim, you surely must read the […]
Thanks to all who have trackbacked to the article
Emirin: Glad to be of help
Cincau: Hehe, for once Microsoft is spared
Alpha: It’s possible; Hive hosting is one of the big players so it would not be a surprise if the hacker did just that.
Hive hosting lost 3 servers. Thats what i heard when I spoke to Albert (from Hive). He even lost his backups (meaning he lost the backups to my domain as well). I think that the hosting company should be more responsible in handling such issues. Hosting companies such as internunix (onwed by a member of a malaysian hacking group) has successfully repelled God knows how many attacks and also has NEVER been successfully hacked. It’s all about how you manage ur servers, firewalls, backups, etc.
All I know is that I’m moving from my hosting company asap. Enough is enough. Its time to move to more responsible webhosting companies.
Hi Gurdip,
Oh, you mean this http://www.interunix.com.my ? Well I misunderstood you for awhile when you said ‘owned’ by a member of a hacking group
So I gather that your site has gone offline permanently? Hope Albert will buck up Hive Hosting, the mass defacement will put a serious dent on his reputation if not handled properly.
Thank you for the article. I’ve cracked my head thinking how to fix the Wordpress part when it has God-knows-how-many files inside, and where’s the index.. and so on.
In the end I just deleted everything and upgrade the wordpress along the way. Hehe.
I agreed with Gurdip. It’s time to move on to better webhosting…
i’m not lucky as you guys. im running an open source content management system called Joomla. This kind of website has many directories inside. The hacker install index.php and index.html on almost every single directory and subdomains except images dir. Now i hav to reinstall them 1 by 1.
celaka betul JaMaYcKa! *foul language censored*!
Pika: Haha, well at least it forced to upgrade
Hope you didn’t lose any of your data
Steve:
Sorry to hear that Steve.
Here’s a shortcut if you have a recent backup of your site,
1) Download the hacked site
2) Delete all the index files from the downloaded site. (Search filenames with this keyword: index.*)
3) Make a copy of the backup site
4) Overwrite the backup site with the indexless site.
This way, you get to preserve your files because index files don’t get changed often for certain CMSes.
[…] in Malaysia: If you are one of the many whose WordPress blogs were hacked in Malaysia recently, Zhongg Internet Digest offers “How to restore a website hacked by Jamaycka”. Right now, it isn’t clear if this threat is spreading, but make sure your WordPress blog is […]
[…] 本blog的server被黑客相中了, 全server出現骷髏頭和比中指, 導致本blog完全癱瘓兼blog主情緒低落…… 現在已經恢復正常, 不便之處敬請原諒. 事件全部過程請按此連結 […]
Well, finally I managed to restore my sites under abiummi.com domain… and xchange-i.com.
But it was very tricky and need patience to dig deep inside tonnes of files. Not only index files were affected but some other files too.
Tip: to find out those files… just look for files with 32KB file size.
Anyone want to hire me to restore his site especially wordpress and joomla can contact me at aseel77[@]gmail.com
An easier way would be to use window’s search (or whatever desktop search) to search for files containing:
document.write(unescape
Jamaycka is using a standard hacked page so this would be able to find all pages regardless of the name.
[…] you website? Thanks to zhongg. If you are on of the innocent victim, you can read his post by clicking here May 25, 2007 | Filed Under Tirut says . . ., Tech, Internet […]
Hello! Good Site! Thanks you! reununfwdqtw
i got hacked by this guy…my page is still defaced…
i think the main host was hacked ….
For those who are using Joomla/WP, don’t blame the CMS. Blame yourself for not thinking of security on the first place. Sometimes, people lack of knowledge what to do to secure their site. Thus the hackers, take for granted for their imcompetent/lack of website and server security issues. All of us tend to think that it is a responsiblity of the hoster or the creator of the software we use to take care of security matters. I know that hoster play certain part to ensure their server is secure, but for our parts, it is our responsiblity to check whether there are vulnerabilities in the CMS that you are using.
For Example Joomla.. Stand alone Joomla without 3rd party components are secure, but if you rely on 3rd party with checking the security advisories at the main Joomla site, probably your site are vulnerable.
It is our responsiblity to take care of our site. It is Hoster responsibility to take care of their server, let us join hand in hand with the hoster to prevent this from happen again and again.
My site Always under attack from Turk, Indonesia and etc, but we take this very much as our first priority. We conduct test, we clean up our site, we backup our database and system and try to implement security audit of the server/site we have. Let say our site was hacked, we try to minimise the impact because we already have backup. (We make database backup every night).
Thats all 10 cents from me..
He’s @ it AGAIN folks!
Little dicked, malaysian Jamaycka has hacked midnitecrowproductions as of last night. Tho I could still view and post on the various forums hosted there.
I cant get any of them now @ all. Must have spread thru more DNSs!
So all i can say is:
He’s BAAAACK!
Little turd!