Recently a personal web site of a friend of mine was hacked by Mr.Moro the Moroccan Hacker. He had a cheeky message up on the site, which was then indexed by Google. It took Google a couple of days to reindex his front page. You would think that I would be personally very angry with Mr.Moro, but you would be incorrect. Mr.Moro was the first step in the solution.
No one likes to get hacked. Hacks can be really terrible and destructive, with loss of the complete site and data. Mr.Moro’s hack was pretty benign: He simply changed the front page to the site. For this I am thankful he did not damage anything else. Mr.Moro’s message set my friend on the road to recovery and ultimately to a better, more hardened site. Of course there is no guarantee that someone else will deface his site, but we can build the site to keep out as many intrusions as possible. An ounce of prevention is worth a pound of cure.
HACKED AND DEFACED BY Mr.MORO MOROCCAN HACKER
WHAT THE HELL IS GOING ON HERE YOUER SECURITY IS LIKE A SHIT
FUCKING UNSECURE SERVERS I REALLY HATE IT. NO APOLOQIZE , NO MERCY
NO PITTY , NO SORRY , BUT DO NOT WORRY NO FILES DELETED ONLY YOUR INDEX
HAS BEEN CHENGED SO TRY TO EDIT QUICKLY GOOD LUCK . FOR MORE INFO CONTACT ME ON :
Mr.MoRo@HOTMAIL.FR
BYE
There is really not much useful internet info on Mr.Moro the Moroccan Hacker. I see his work on Google when I search his name. He usually writes his message in alternating upper and lowercase. My friend’s message was all uppercase. Mr.Moro has been really busy, racking up hacked sites like studly university jocks and their “little black books”. He has supposedly defaced over 350 unwary sites. He has supposedly hacked 2 South African government sites as well. That is an interesting record.
Anyway my friend’s site was a WordPress blog, so I might as well tell you the vulnerabilities. In summary I found a very large .php and a perl script in his uploads directory normally used for images and attachments. This directory is not changed by WordPress upgrades. I also found an unauthorized person with admin priviledges. Then there was the ZenPhoto plugin running TimThumb.php, somewhat known to be the entry point for Mr.Moro. There were two index.htm files, one in the main directory and one in the WordPress directory that did the redirect.
Apart from the juicy stuff I did the boring upgrades of WordPress core, plugins and such, and hardened up the rest.
While WordPress is open source and freely downloadable, maintenance still needs to be done. I am sure that if everyone spent more time on this there would be less work for Mr.Moro. This simply will not happen, though. People are busy and are not technically deep enough to harden their site.
Thanks again, Mr.Moro.
Addendum Mar 10 2013: The entry point for Mr.Moro was definately Zen Photo. The Zen Photo MySQL databases have deleted login accounts for the owner and a login account for Mr.Moro. Zen Photo has been deleted and will be reinstalled with a current and secure TimThumb.php version.
