Updated FEB 25: Please scroll down for latest update.
Warning: Long post – In case of a Teal Deer ( TLDR ) scroll right down to short version.
As most of you will know, Sunsetsims had been down for some time before the recent hacking. As far as we know this was due to server issues caused by the server being unable to cope with the large volume of visits Sunsetsims attracts. Sunset will be resolving these issues shortly and the downtime is only temporary. Users can still get updates/requests —>HERE<— ( Link updated )
On 3rd Feb, even though the site was down, SunsetSims was hacked, a large number of files were deleted, including downloads and wordpress files. Config files were backed up and downloaded by the hacker and a new index file containing a redirect to TSR was uploaded. The server host, Pescado was contacted for any assistance he may be able to give. Basically there was nothing left of the site to salvage, so it was just a case of him securing the site and providing any information that may help identify the hacker.
It struck me as unusual that TSR would attack a site that was already down, in fact VERY unusual was the fact that they did not hack it while it was up and still a threat to them. How did they even know the site was accessible in its current state? Why did they back up the WP config? Sunset is the only admin, and they clearly had her password already, so unless they were planning on restoring the site structure I could not figure out their endgame. Also unusual was TSR doing a redirect directly to their own doorstep… But hey, this is TSR and they do not always play by the book.
Pescado checked the FTP logs, and as the site had been down for so long only one IP had recently logged in, and this did not belong to Sunset. This IP was logged as entering the site at around the time of the hack, spending 2 and a half hours deleting files, backing up the config file and uploading a new index file that contained the redirect to TSR. This was the ONLY IP to have logged in on that day, or in any of the days before the attack. No other IP logged in after this. The IP was 126.96.36.199
I traced the IP back to Australia and I was interested to see it was NOT a proxy, I started checking through my old message logs, working on the theory this was someone trying to frame TSR, and so may be on THIS side of the fence. I have never wanted to be more wrong, but I was not prepared to issue an article stating that TSR hacked Sunset when I had doubts that this was true. I found a few matches in my shoutbox from someone with an obvious beef against Pescado urging Sunset to leave Pescado’s hosting and set up with a better host ( and other general anti-Pescado remarks ) We now had a motive for the attack, but unfortunately not a ‘who’ as the poster posted under several generic names, none of which was recognizable as a ‘genuine’ community member. While I was searching through old post and comment IPs, another shout was posted by the same IP as the hacker:
So, the hacker could add impersonation to his ‘talents’ Shane AKA Shan0w AKA Shane_Gowland is known to the community as a pillar of society, he has been a victim himself of a nasty TSR hack, I assisted him as much as I could at the time, and in return he has assisted me. He has also spent time trying to help Sunset, she gave him her FTP pass to her site, although he was unable to fix any problems, she was very grateful for the time and effort he spent in there trying. His knowledge of word press and websites in general is good and we valued Shane as a good friend and ally. He is an all round nice guy and I was really annoyed that this scumbag hacker would be using Shanes good name to agree with his own nasty posts, especially as the real Shane had been so kind as to write to Sunset immediately after the hack and offer his assistance. Luckily I have many examples of the real Shanes IP, so it would be easy for me to discount the ‘imposter’ . Sadly, all I found was that both the ‘imposter’ and the hacker were in fact the real Shane. Shane uses 3 IP bands, one of these, the one he uses the most, is a match to sunsets hacker and the poster. ( the others being dynamics of example IPs 188.8.131.52 and 184.108.40.206 )
( Click ‘More’ for more! )