Just four month after the hack by Hmei7, an Indonesian individual, my sharkdolphin.com got hacked again by another Indonesian hacker that called himself/herself as Rexal Scooterist. Although there is nothing valuable on the web site, it still got hacked. This time, the hacker was kind enough not to delete any information except the index.php file in every single subdomain of sharkdolphin.com. I have to thank him/her for teaching me another security lesson. Here is roughly how the hacker did:
1) At Sat Jul 27 12:41:45 2013, the hacker exploited a security hole on Joomla 1.x's JCE to upload a script to my old mtpham-hacked.sharkdolphin.com website, using a machine at IP address 220.127.116.11.
2) Using the script, the hacker quickly got access to all my other subdomains. He used the script to overwrite the main index.php files on them.
3) He then used a bunch of other machines with IP addresses starting with 69.171.xxx.xxx to access these newly modified index.php files. But no further damage was done to sharkdolphin.com
I have blocked all these IP addresses. Let's see what else these Indonesian hackers can do.