1000s of sites defaced by nobodycoder in July - Were your domains / sites hit ?

[RTM]

I did a search here on NP and was a bit surprised that there were no results for NobodyCoder ... for those you of you who are unaware of the story, on July 1st several thousand sites on the 'net were hacked (index.php and index.html pages) were defaced... those index pages were replaced by a photo and message regarding the elections in Iran.

The message displayed was :

From IRAN

[email protected]

Hey Stupid Fly Catcher Obama! Stop talking about Iran and telling to your dogs (UK, France, Germany) to talk about Iran and Iran Election. Keep working on your own country and try to solve economic crisis in your hungry country! Iran's election doesn't have problem and Moosavi with his tiny brain will be in jail in near future, so don't pay your time and money for him and for his fans. 80% of Iranian people hate Moosavi nowadays... We never cheated in elections and even Moosavi knows that. So it's time to finish this kind of activities and it's better each country work on its own business.

uid=0(root) gid=0(root) groups=0(root)

Unknown_3rr0r - Th3_Analyz3r - su_r00t - Access Violation

The hack / site defacement was apparently done by exploiting a weakness in the MyBB forum software. If you were running an outdated version of MyBB on one of your domains, you may have been a victim. Essentially, the hacker replaced all instances (recursively, and within zip archives as well) in your web directory with the message.

Did you get hit by NobodyCoder? Were you able to recover your site? In most cases where we assisted clients (running old versions of MyBB) the MySQL databases were not compromised, and as such it was simply a matter of restoring the relevant index.php / index.html files from a backup.

Just goes to show how important it is to keep all server software patched and up to date.... and most importantly, always have backups of your files (and databases) ready!

A screen-shot of the NobodyCoder defacement is below...

If you were hit, hopefully you were able to recover.

Cheers,
Rob

 

[networkmsia]

pheewww....
luckily i was using phpbb

 

[TylerW]

Very interesting...I caught wind of this, but this is the 1st I have ever really read much about it. Good update on this nobodycoder stuff. I haven't been able to read anything about it until now. thanks!

 

[labrocca]

Early on he used this exploit on my biggest Mybb site (hackforums.net). I run MybbCentral.com and a Mentor at Mybboard.net. He used the exploit on me and I immediately investigated and within a couple hours found the vulnerability and worked with Mybb to patch it. Two hours later 1.4.7 patch was released. I probably stopped thousands more from being exploited.

The exploit was published at milw0rm.
MyBB <= 1.4.6 Remote Code Execution Exploit

Someone decided to contact mybb's staff informing about this vulnerability with the obvious result that this will not work anymore.
****ing moron.

I like that part...he is obviously talking about me. btw...none of my Mybb sites were defaced.

People are still getting exploited and it's a real shame because I believe 95% of the hacks have been after the patch was released.

This kid nobodycoder has pissed off a lot of people.
Zone-H.org - Unrestricted information | Defacements archive

That's a list of over 8000 defaced sites.

The 1.4.7 patch was released June 14th. More than enough time was given to patch.

 

[=-TeddyBear-=]

sorry but i think calling KID to some one that hacked over 8000 sites and EVEN US FORCED GOOGLE TO DELETE HIS NAME is not fair,

dont take it personally but for example while namepros website after many years still goes down every day over 1 hour, how can you call some one skilled more than you ,for sure, a KID?

in other word,you should be some one Big to call others=> hehe you are SMALL

sorry if i was too honest with you.

 

[labrocca]

dont take it personally but for example while namepros website after many years still goes down every day over 1 hour, how can you call some one skilled more than you ,for sure, a KID?

Sorry but I don't own or run Namepros. NobodyCoder is not more skilled than me. I can almost guarantee he is a teen too. Do you have knowledge otherwise?

Who else but a kid has time to hack 8000 sites?

 

[=-TeddyBear-=]

well at first i didnt want to answer your Quote cause it would look like fight,but....

its not about TIME,while US and even Google trying to rise the fire for example in IRAN.IRAQ,or even PAKISTAN
you think they just wait and say THANKS ALOT?
i dont know if you check the news but the problem is some thing very higher than that i be able to explain in this thread

+may be you not be the owner,but at least you can help them?why not?
++about my knowledge why not betting on one of your sites?

 

[labrocca]

This kid was defacing sites well before the iranian election.

Zone-H.org - Unrestricted information | Defacements archive

He has that account since April, 2006. He is a hacker. A skiddie that has taken up a cause. His Anti-American stance is a facade. He was hacking Russian, Turkish, and German sites too. Pretty much anything his script would exploit.

++about my knowledge why not betting on one of your sites?

I didn't bet your knowledge now did I? Unless you want to admit your NobodyCoder.

Are you aware that I own the #1 hacker community on the internet?

 

[exponent]

60% of hackers are teenagers or young adults, so yeah, I think it's a fair assumption to say NobodyCoder is a "kid". He obviously revealed his childishness by defacing multiple websites. Based on his grasp of the English language, I would venture to say that:

1.) He's probably a first year university student.
2.) He thinks he has a grasp on politics but clearly does not. He's a follower, not a leader.
3.) I seriously doubt he is Iranian. Especially with the mail.ru address. I would venture to say he's just a trouble maker. The reason I say this is that most Middle Eastern people tend to be devout Muslims and such a massive undertaking would likely include a reference to God/Allah and/or the Prophet Mohammed.

He should have payed a little more attention in Middle Eastern Culture. =)

 

[GreenGambler]

This is the first I've heard of the NobodyCoder, thanks for sharing.. I'll be on the look-out.

 

[gafadi]

not by this but at the same time and around these time i had several of these attacks where the hacker changes the index.html or index.php page only no internal damage, my hacks had message of islam and a flag of islam , it were some Bulgarians hacker