Yesterday, one of my website was hacked by an individual or group calling themselves z7faan-h4ck3r. The hack involved changing a couple of headings and having some stupid video on a loop.
Naturally, I was less than impressed but it didn’t actually take long to find a fix which so far seems to have worked.
The website is an articles directory created using the “Article Dashboard” software and apparently, a number of similar sites have also been hacked. This is how I fixed it:
1. Check you have the Article Dashboard software on your computer
2. Delete the following directories from your website
/admintemplates
/templates
3. Upload these two directories to your site from your computer
4. Login as admin and go to “Edit Settings”. Here you will see that Site Name, Admin Email ID, Admin Name and Admin Message fields have been changed and you’ll need to change them
5. Finally and most important, CHANGE YOUR PASSWORD !!!!
That should restore your Article Dashboard website. Like I said, it seems to have worked so far but there is a chance that there is something else hanging around that I haven’t found.
The same hackers have attacked my site daily for a week, we have done the changes as you mentioned, added hack detect software, added a tempory database with no articles etc and they still got in. The last attack (last night) they managed to somehow get into the article catagories and add the “hacked by” tag to each one. In addition there is a trojan warning appearing.
Ive spent a lot trying to fix this and it seems that there are a large amount of “article dashboard” script sites being attacked……for me its bye bye to 110 000 human approved articles and a lot of months worth of work, enough is enough they win.
Yes, I’m aware a number of “Article Dashboard” sites have been targeted but I hadn’t read anything about the categories being changed. Will keep an eye on the site.
Sorry, you feel you’ve had to abandon your site.
Rob,
My site was hacked yesterday. When I visited the homepage, I noticed that there was a new category at the beginning of the directory. I was then redirected to the hacker’s web page. Looking at the source code, I discovered that the hacker had created a new category with a metarefresh script.
I logged in to the admin and went to manage categories. Since the two categories the hacker created (one with the metarefresh and the other with his signature) were on the page, it kept redirecting me. I hit the back button and tried to delete the categories. AD would not allow this because the hacker had created articles in the directories with the same content.
I then went to manage articles and did a mass delete (script I added on some time ago). Once the articles were deleted, I could delete the categories. This returned my directory back to normal.
I then changed my password to something much more difficult that what it was.
I thought this was easier than deleting the two directories and uploading a lot of new files, especially since I would have to modify the templates again.
BTW, do you know how to change the admin user name from \\"admin\\" to something else?
Also, do you have any tips for making AD more secure?
Thanks,
William
Rob,
One more thing. I also sent a message to freewebtown.com which is where the hacker’s redirect went to and told them that they are hosting a hacker and should discontinue his service. I know he can easily do the same at another free hosting company if they do discontinue his service but, at least, all the sites he has hacked will no longer redirect to his web page.
From what you are saying, it looks like the method of attack has changed since my site was hacked. Glad you got it sorted without too many problems.
As my site is back up and running, I haven’t really spent any more time looking at the problems or making AD more secure.
Cheers
I have a suspicion that the group or person doing this is Norwegian. Faan is the colloquial name for the devil in Norwegian. The word is also used for swearing. It is usually written Faen, but “Faan” is a more correct rendering of the pronounciantion.
William: Good idea to report the hacker although like you say, he can get another hosting somewhere.
Knut: I’m sure I saw a popup while my site has hacked with the letters K.S.A which is Kingdom of Saudi Arabia.
I noticed my site was hacked today
The hacker changed a field in the database to alter the title tag. This effectively disabled the title tag and replaced it with a meta tag that redirected to another site. This is an XSS attack and means the coder responsible has not made fundamental checks before entering data to the database.
This is both an accolade and a problem for Article Dashboard. That a hacker has found it worthwhile to go to such trouble means AD are prolific. However AD cannot be responsible for third party addons, but for those addons to cause so much trouble they must be popular too.
Initially I suspected the isnare_import.php file to be responsible. Even though they are careful to ensure requests to that file only come from their own authorized servers, who is to know what protection against XSS injection on their own site? That would be the coolest thing for a hacker to do, infect isnare today and destroy 100,000 sites by EOB tomorrow.
I use automated procedures from a third party to remove duplicates and to approve/deny articles but a review of his code shows that there is no open for an XSS injection.
As AD is encoded it is true that we cannot check whether they have protected themselves or not, however we also know that no alteration of their files or an understanding of how they work is unlikely to have been gained by the hacker either.
Therefore, while changing the title has given us respite, it means it is not at an end. Whatever method this attacker is using he can use again, if he can be bothered, and that depends on whether he is making money out of it perhaps.
So we all need to contact Article Dashboard and request they look at it.
Forgot to add there is a temporary solution if this hacker does decide to run his code again.
Add the following few lines to the setup.php file below everything else already in the file EXCEPT the last ?>
$ah_conn = mysql_connect($dbhost , $dbuser , $dbpasswd) or die(mysql_error());
go back and remove those two lines of code!’);
if($ah_conn) {
$ah_selc = mysql_select_db($dbname);
$sql = “UPDATE adb_adminsettings SET sitename=’Exchange Articles | Article Database’”;
$result = mysql_query($sql) or die(mysql_error().’ damn, did not work
mysql_close($ah_conn);
}
(this blog may format this incorrectly, if it does and you (Rob) would like the original code contact me and we’ll find a way to add it).
Note this temporary code has both advantage and disadvantage. The advantage is each time an XSS attack on the title tag is achieved it will be thwarted by the next visitor – to the point the next visitor will NEVER suffer the hack. The bad news is that every time someone visits the site this code will be ran. That’s an overhead, but in the scheme of things only a small one.
Thanks Martyn
Really good information there. I’m sure other people using Article Dashboard will find it very useful.
Hi !
After removing virus from above mentioned techniques, Now I can’t login through admin.
Either login/pwd in database is same.
Help me
.Thanks.
Arun
Hello everyone… there is a forum that helps with wading through this issue. http://www.articledirectoryforum.com/ opened partly in response to the close of the article dashboard forum closing. There are steps that can be taken to keep this from happening.
For all article directory owners, and there is a forum for Article Dashboard
p.s. The most important security measures are detailed there.
Roger, you will have to do this within your database (phpMyAdmin via cPanel)
Martyn, the most common way to hack in to AD is via the admin login, the most effective way to stop this is to password protect your admin directory (again, you can do this in cPanel)
There is a forum (for all article directory owners) that has a section for Article Dashboard owners at http://articledirectoryforum.com
Search your entire remote (webhost) directory for mshell.php. There may be several of them.
Also look for a folder called g2data, this will guide you to the place where they set up on your hosting account.
Anonymous
Pardon my French, but these guys are f—ing assholes.
About 2 weeks ago, our wordpress module was compromised so we couldn’t access it. Then today they put their obnoxious bloody skull logo on the site. I am still trying to clean it off, but their seems to be something embedded in the site that is redirecting the website to a different page. Hopefully I can just disable the site while I try to reconstruct it… and yes, I have already changed my password.
I forgot my admin password. I remember seeing an encrypted string somewhere on the net that reset the password via a db entry. And then I could go into the app and provide a new on. Anyone know what that was?
ok here is the script for your mysql update:
update admin
set password = ’21232f297a57a5a743894a0e4a801fc3′
where adminid = [your admin id]
sets the password to ‘admin’
I set up my Article Bot directory submission software over the weekend and spent about 10 hours manually entering pw/user names to hundreds of directories that didn’t load in the auto signup process. I felt the time spent would be well worth it to be able to rapidly submit my articles. Finally submitted my first article last night and all was going well when about 10 directories away from the entire 300+ or so being submitted, the submission process seemed to stall. I couldn’t get it to cancel or close out. So I closed out Article Bot and when I came back in not only were my user and company profiles all wiped away but so was my Ready status for the sites I’d spent 10 hours already manually signing up for! And there was no record or trace of the article I just submitted. It was as if I’d never yet used the software.
As I had attempted to close down the stalled submission box, my McAffee had also shot up a Trojan warning yet when I went into to check recent activity it showed nothing.
The guy at Article Bot says they aren’t responsible for the directories who don’t take proper security precautions but my other problems aren’t the result of this assh##e hacker and I’m pretty sure they are. Once I ran through the auto signup process again I’m now left with having to re-submit to 300+ directories my pw/user name manually again. Of several that went through on the auto submit, I received at least a dozen by this assenine hacker in confirmation emails. When clicking on the confirm link I’m taken to his page with the face of a ugly as hell goth character and some Beasts of Hell BS!
What pathetic lives these losers have to have to get their jollies out of causing hard working people such grief. If I could get my hands on this creep I’d kill him and I DO mean that!!!
Linda
I am a newbie. Yesterday one of my site has attacked by this z7faan-…. I have read the above comment and your (Rob) article, but I don’t know what to do from the first. Anyone can help?
Thanks.
I just do this against z7faan.
1. Change password
2. Change Theme
3. Reinstall the previous theme.
It works.
My site just got hacked again but some Turkish lot this time.
I had a look at the two directories
/admintemplates
/templates
I sorted the files by date/time and it showed a number of files in each directory had been updated recently. I’ve just FTP’d over the correct versions of the individual files that were hacked and so far it seems to have work. Took me about 5 minutes to fix.
Hi,
I just joined a website (travelarticles.org) trying to promote my company’s website. To be honest and to put this in context, I am a computer novice. I then got a confirmation email from someone who goes by HaCkEd BY Z7FaaN H4Ck3R . Any thoughts on what I should do, any measures I should take to protect my site? Is my site in danger and has anyone else had a similar experience?
Cheers,
Gavin
It\’s the article directory that got hacked, not your site. This dude preys on articledashboard sites.