Why would the hacker alert you


Not long ago I asked for help in this forum because two of my sites were hacked and after thinking about what happened and how I noticed that my site were hacked I started wondering why. What happened is this, one morning I woke up and checked one of my sites that uses WordPress and to my surprise the index page had a picture that said hacked by bla, bla… the same thing happened with my second site except that this one wasn’t using WordPress this one only had a PHP contact form and was done by a different hacker, here is where my question came.

Why would the hacker alert me? Wouldn’t be easier to do the hack without letting me know and I would probably have never noticed it.

Does it mean that the index page was the only file they could have access to and they just wanted to let me know about their success?

Are there some occasions where the only file hacked is the index file?

Of course the reason I’m asking is because I haven’t find any malicious scripts for the site that wasn’t using WordPress, and I’m trying to understand where the hacking thing came from, may be from my hosting provider?

Thanks a lot!

The hacker alerted you for the glory. They weren’t out to take money or use your server for anything, just to show that they could.

Were your sites hosted on the same sever? If so, your server was probably compromised. I would surmise that anyone who could edit your index page could probably edit any file they chose, also the fact that both a wordpress and a non wordpress site were edited suggests your system was totally compromised.

Are you using unsecured FTP by any chance?

Thank you for your reply!

Yes, both sites were in the same server (in a share server).
Yes, I’m using unsecured FTP. Does this make a difference? I thought SFTP was only to protect you from people connected to your network and I have my network secured.

Should I start using SFTP? If yes, can I ask why and how would this make a difference?


FTP sends your username and password in plain text with every request. It’s not just your own network you need to worry about, it’s every switch and cable between you and your server. I would switch to SFTP.

From what you say I can envisage three likely angles of attack.

  1. your password was intercepted by a hacker sniffing packets
  2. Your account was hacked using a brute force, dictionary attack. or
  3. Your shared hosting is insecure and your account was hacked from another account on the same box.

Without more information, 1 sounds like the most likely to me. Change your password to a random alphanumeric string, use an encrypted connection (SFTP or SSH) and check your hosting provider’s reputation for security. Also check your backup strategy :slight_smile:

No one likes getting hacked, hope you get it sorted :slight_smile:

Thanks a lot!

In fact the password I was using was a four letter password so I hope that was the problem because thats and easy fix. I will try to set up SFTP, and of course now I’m using a more robust password.

Thanks a lot for your help!

Oh, how about login directly to the Cpanel? Could this be risky too, should I use SFTP to access the server files all the time and not directly using the cpanel?

Thanks a lot for your help!

Cpanel’s OK, as long as it’s over an https connection. Don’t get too paranoid though, it’s only a website :slight_smile:

A four letter password is very, very, very easy to crack, and if it was a real word, it’s even easier than that.

Use at least 12 characters. If your cPanel has a Password Generator, use the password it creates for you.

Thank you all for your comments!

  1. the hacker(s) found a vulnerability on your page, could be a script, plugin, unsecure form etc… and exploited it to deface the index page.

He probably alerted you for his own glory, as this type of hack gives good karma in the hacking culture.

most hackers (read script kiddies) don’t do more harm than rename your index page, and switch it with their own, as they only use tools made by other to achieve this…

most hackers (read script kiddies) don’t do more harm than rename your index page, and switch it with their own, as they only use tools made by other to achieve this…

Thats good to know that, and its probably why my sites were never banned by google.

Thanks a lot for your comments!

You need to follow below steps for Secure FTP Password :

a)First remember to “Sign Out/Log Out” from any of the “services”

b) Use strong, long and a complex password, as more variety of characters that you have in your password, the harder it is to guess the password.

c)Avoid sequences or repeated characters in your password.

d)Use Mix letters, numbers and symbols, and use case sensitivity.

e)Avoid dictionary words in any language.

f)Try to memorize the password, and avoid writing it down.

g)Avoid using only one password for all your accounts

h) Last but not the least is to change cPanel / FTP passwords most ofently

I think there are two type of hacker, one who jack for fame or glory aand the other one is to cause harm People( may be financial or some other type of harm)

And you are attacked by the first type of hacker…
These type hacker do hacking just for fun, and for no other reason…
may be your site have some type of loophole or backdoor by which they enter in your site, So check for the all possible loop holes, change admin password if there is any such kind of provision in your site.

Thank you all for your comments!

Well, it may have been glory, or it may have been like the people I know: they look at some crappy system, sigh loudly, shake their heads that such a system is still being used by anyone at all, then break in to show the sheep how silly or dangerous they are being with their info.

Hmm, interesting.

Thanks a lot for your comments!

…but the admin is not as dumb as he may look, and logs all activity and have it sent to another server and emailed to several addresses as well, so now he contact authority and start the act of tracking the guy(s) ip and sends requests of info regarding this to several sysadmins and ISP’s about their server and wingt/proxy logs and tracks the guy(s) to their city and house… one can wonder, who’s the sheep now…

I have tracked morons down many times the last 13 years. some times it’s “impossible”, well at least not worth it and maybe even impossible, but other times it’s almost fun

and start the act of tracking the guy(s) ip

Uh-huh, yes, everyone does this directly from their bedrooms and they never try proxies or anything. Cause they want trouble : )

And if they really did, wow, yes it is satisfying watching jack-booted feds jump in through the windows like in a movie “MOVE YOUR HAND AWAY FROM THE KEYBOARD, SLOWLY!” lawlz

sysadmins and ISP’s about their server and wingt/proxy logs

using a proxy don’t mean you are safe - and there are several types of proxy servers too. some non anonymous, other transparent, forwarding, reverse etc… and then anonymous proxy servers.

and even chaining several anonymous proxy servers doesn’t make you safe, as anonymous proxy servers tend to log all the activities - and there will be more tracks on every hop which can ease the trace.

Contacting authorities, and also the sysadmins of these servers can result in getting the logs so you can continue tracing the hacker through several proxy servers - anonymous or not.

they may also get a court order about handing out the logs.

of course this can be difficult (and impossible) if you have to track him through several countries - but who said it would be easy :wink:

this is how hackers get caught - cooperation between people

and now, i have some cake to devour here :smiley:

^self-baked I assume : )