Babyhazel.org site hacked

wordpress

#1

My friend created the babyhazel.org site for family and friends to update them on the condition of her baby Hazel, diagnosed with a malignant brain tumor.

Hazel passed away in August, and they’ve only recently become aware of Hazel’s site being hacked:
http://babyhazel.org

I am not an admin for that site and I don’t have any admin privileges, but I know they would dearly love their site restored if possible.

They are not technical and don’t really have any idea how to restore their site as it was.

More on Hazel, with a mention of their site:
http://santacruzsentinel.com/story.php?sid=33621


#2

The very first thing to do is to have them log onto their site via sftp or ssh, and see if the original content is there (with just a new index page being hacked).

If it is, it should be fairly easy to recover the original content.

Since you said they are not very “technical”, they may well need some help with this.

–rlparker


#3

I am at least somewhat technical and it looks to me like everything is gone, none of the old links work and the images are gone.

So either they deleted everything, or moved/renamed it which would be relatively easy to fix.


#4

I’m assuming that you are checking via your bookmarks, or other retained links (since you said you do not have “admin” credentials for the site)?

Was this site running some type of blog or other software (WordPress, etc?). I’m only asking that as the data for the previous content may still be in the database (if it was not altered).

Someone really needs to take a look at the site directories themselves, using FTP or a shell client, and check the DreamHost maintained “.snapshots” dirs to see if the “old” content is archived there.

The internet archive indicates that two pages were archived, though they are not available for viewing.

Obviously, the content has been deleted, moved, or renamed as you can’t see it with your existing links - the next step is to actually look at what is actually on the server.

Have you been in contact with the owners of the site to see if they will provide you with credentials to do this?

Short of doing that, suggesting that they contact DH support to see if they can retrieve an “good” backup is all I can offer in the way of help.

At any rate, the password for the FTP/Shell user should be changed immediately, and the source of the exploit should be identified - there is little point in “fixing” it only to have it hacked again. :wink:

–rlparker


#5

Online backups are in a .snapshot directory hidden in your user directory. Those are up to two weeks old.
http://wiki.dreamhost.com/Snapshot_data_restoration

-Scott


#6

Also, consider immediately disabling FTP access if you have not already done so. SFTP is a more secure alternative.

si-blog
Max discount on any plan with promocode SCJESSEYTOTAL


#7

Thank you for that information.

I’m in contact with Hazel’s mom, she’s trying to locate the login information so we can get rid of that page.