This is the third attack I've experienced. Each time it comes suddenly and the pressure is immense. Each time I'm busy dealing with it and I'm exhausted, but each time I also learn a lot.
What happened yesterday?
Last night, while browsing the news before bed, I suddenly received a WeChat message from a friend saying that hellogwu had been hijacked. My first reaction was: Holy crap, no way… I opened it and sure enough! The website was redirected to go.padsdel. I turned on my computer in a cold sweat. I checked the server, but found nothing wrong. I also checked NS, but couldn't find anything wrong either… What happened?
After investigating for a long time without finding the cause, I discovered that only hellogwu.com and my personal website jing.do had problems. Generally speaking, non-profit websites like these are not usually targets for hackers, and the fact that only these two out of so many websites had issues immediately made me think of something bad.
Lenovo aside, the problem still needed to be solved. I tried using backups, but the issue persisted. Then I accidentally discovered that the website worked fine without HTTPS. After thinking for a while, I suspected the problem was with the CDN. Could the CDN's service provider (NS) have been hijacked? I checked various reports and glanced at Twitter, but there didn't seem to be any large-scale attacks. How strange.
Under HTTP, the website and database connections are all normal, and all the logs on the server and database are fine. This hacker is too amazing, leaving no trace... After going back and forth several times, it was already past 4 a.m. I really couldn't figure out the reason, so I could only redirect the website to a prompt page and then take a break.
I got up again a few hours later, having received dozens of emails from users asking why the website was inaccessible. Suddenly, all sleepiness vanished, and I entered full combat mode. Actually, there was a question I hadn't been able to figure out in my sleep—a very mysterious question, and it was from this that I finally broke through. It was that my mail.xxx.xxx domain's A record was linked to the server, and the server was configured to redirect directly. However, this domain was also hijacked. Logically, if a hacker had injected hijacking code into the server, the server would execute the code and redirect. But this domain didn't make any sense. In other words, the entire hijacking wasn't happening in the file system, on the port, or on the NS (Network Node.js).
Following this lead, we finally discovered the problem. Someone had logged into my NS console and added redirect rules… Damn it…
Everything was cleaned up and a security check was performed. The system is now back online.
This comprehensive investigation uncovered a host of problems, including some files that had been injected with malware. Although these were ruled out as being related to the attack, they still raised serious concerns.
Self-blame and doubt
This was a low-level attack where the other party knew my password and then entered the operating platform to modify the rules, but several questions arose in my mind:
- This attack happened right after I returned from San Francisco. During that time, I used the Wi-Fi in the hotel and on the plane. Was my password leaked at that time?
- If the password was leaked, why were only hellogwu and my personal website attacked?
First of all, this incident has made me extremely vigilant. I must never publicly share passwords, especially server and SA passwords. Also, I should try to use cert for login operations whenever possible. Now I'm actually quite scared; I didn't know my account had been compromised, and I might really need to change my password.
After all, it's okay if it's just your own account, but the data on the website is everyone's information, and if it's leaked, it's a serious matter.
Secondly, was it a coincidence or intentional? I tend to believe the latter. Password eavesdropping and leaks should be random. If it were random, the perpetrator should have hacked everything in all accounts at once; there would be no need to specifically target a few.
Furthermore, why HelloGWU and Jing.do? The former has huge traffic, which is understandable, but my personal website has no other value besides where I write articles and vent my frustrations.
This feels more like an attack against me. That person may be watching from the shadows, or even reading this post. But I want to tell them something: these websites are service-oriented. Please do not harm contributors and users. If there are always people like this, no one will be willing to contribute anymore. It's not a good thing if everyone is insecure.
postscript
This is the third time this has happened. The first time, I lacked experience and lost all my files, but I learned my lesson and rebuilt the data. The second time, I was attacked by a random hacker, which taught me the importance of backups. This time, I realized the importance of protecting myself; my data is no longer just mine.
Furthermore, a true master will coexist with you, constantly draining your resources. The Peach Blossom Pool is a thousand feet deep; the sea of skill is as vast as the ocean.
This siteOriginal articleAll follow "Attribution-NonCommercial-ShareAlike 4.0 License (CC BY-NC-SA 4.0)Please retain the following annotations when sharing or adapting:
Original author:Jake Tao,source:"Documenting the Third Hacking Attack"
Comment list (1 item)
You could find like-minded friends to maintain hellogwu together. That way, you can support each other. A strong partnership is definitely worthwhile; even the most capable person can get exhausted by themselves.