My wife is playing with setting up her own website. She by far is not an experienced user and is just learning how to run it. She is a psychologist, who is eager to improve her visibility and was going to use her own website as a part of that attempt. On the other hand, she wants to do it all by herself – so I keep myself away from daily running of her website.

I initially set up a website for her, using an excellent CMS or framework, called Joomla. Excellent system, and it is, perhaps, the easiest to use. From there on, she wants to manage it herself.

Guess what? There apparently are some d**kh**ds (and that’s who they are), who took pride in defacing her website, while I was flying back from a conference and could not help her identify and rectify the problem. Not even manual defacement – they are nothing more but some idiotic brainless script kiddies, who just used a kit to deface it. Very simple: apparently, in the version of Joomla she was using, it is possible to reset Admin password without authorisation – simple SQL injection. On the other hand, my better half was uploading templates to play with the design and, therefore, the /templates/ directory remained writable. Those dickheads felt proud to upload a remote shell script called r57shell.php from a russian “security” website, into a writable /templates/ directory, and try to run some rubbish. They even tried defacing my website.

They didn’t succeed in doing a lot – just replaced a front page. I guess, that is because their tiny brains are not suited for anything else. They had some sort of a grudge against clever people. Here is how they found my wife’s site:

78.167.171.187 – - [09/Oct/2008:14:48:54 +0100] “GET /index.php?option=com_user&view=remind HTTP/1.1″ 200 6029 “http://www.google.com.tr/search?hl=tr&q=intitle%3Adoctor++inurl%3Acom_user&btnG=Ara&meta=” “Opera/9.50 (Windows NT 5.1; U; tr)” 

So here is some information about the dickheads – internet community needs to know their heros.

1. They belong to a group called Vezir.04 – it is a group of 4 kids, from Middle East – Turkey, Egypt and Albania
2. Their website http://www.turk-h.org listed my wife’s website as “defaced for political reasons”. Ha.
3. Two of their nicknames are Neg4tif and CrazyHacker16 – you can tell how old they are just from the nicknames 
4. The IP addresses they used: 41.235.3.33, 78.167.171.187, 88.250.36.197 and 85.103.76.43
5. The person checking their work: 78.168.65.3

Moral? Some would say “set up automatic updates”. Yes, that would work in this case – but there is a reason why I don’t normally do that. Believe me when I say that automatic updates do not often improve the security, and sometimes reduce it. I will write about it later.

P.S. Legal authorities are notified, together with all the logs being passed to them.