The Herald website hacked, used to propagate pornography

Posted by

We received several tips this morning from readers alerting us that the Herald website, www.herald.co.zw, had been compromised. We checked. It was. The hack was silent with links to pornography sites inconspicuously placed on every page on the site. Both the Herald and the company that developed & host the website, Webdev, were alerted and the issue has since been resolved.

The porn links were placed close to the bottom of each page on the site and you could only see them by checking the source of the site, or carefully hovering the mouse around the white space at the end of the body of each page. Like this:

Herald Hack

Here’s a screenshot of the source:

advertisement

We’re guessing the hack is for SEO purposes and nothing malicious targeted against the Herald itself. We will try to get an official comment from the Herald on what caused the issue.

The Herald is Zimbabwe’s biggest daily newspaper by circulation. It is owned by Zimbabwe’s largest newspaper publisher, Zimpapers. Zimpapers also publishes The Chronicle, The Sunday Mail, The Sunday News amoung other titles.



40 Comments

  1. Madziva says:

    A couple of websites we host with YoAfrica where hacked two weeks ago, they are just plain html websites, no joomla and I am sure the herald is hosted by WebDev where we also still a have a few sites. In this case I say these local hosting service proividers needs to be serious considering how expensive they are and I am sure there is no duty paid for their international hosting so I dont see the justification in the prizing! WHERE ARE WE GOING WITH LOCAL HOSTING? DON’T WE HAVE THE EXPERTS IN THESE COMPANIES?

    1. Anonymous says:

       Host your sites outside Its better be safe than Sorry. Its cheaper faster even more reliable.

      1. slackie says:

        it’s faster for most local isp users to browse locally hosted sites

        1. Anonymous says:

          Yah you are right.

    2. Joe Black says:

      People shouldn’t rush to blame the hosting company in these situations. As for YoAfrica, a website being hacked is NOT the web server being compromised, but I have noticed it is one of two things:

      1) With CMSs, people put unsecure passwords with an “admin” login, and a brute force simply figures it out

      2) People set 777 permissions on their web folders, i.e. they give PUBLIC WRITE permissions to their sites. This way it doesn’t matter if you’re plain HTML or PHP or whatever, you will be compromised.

      I suggest anyone who owns a website familiarise themselves with basic security protocols, or make sure their developer or whoever has ACCESS to their infrastructure is familiar with the basics. Secure backend passwords and 755 file permissions are just part of the basics.

      1. Anonymous says:

        You do have a point there

        1. Tapiwa ✔ says:

          Except that plain HTML, even when set as 0777 requires the attacker to have a valid user on the system. Without CMS/PHP as a vector – then the host is to blame.

      2. Anonymous says:

        True @71f2ae3452547e2c4fcc684c5c6b4280:disqus

  2. Anonymous says:

    Lol WebDev !! *wink

    Washa!

  3. Madziva says:

    Maybe Techzim, YoAfrica, WebDev, Ecoweb can organise a Workshop for your clients (Website Designers) on Securing Their Websites (Joomla, WordPress, Drupal, Plain Sites etc). Fun enough same websites hosted outside do not get hacked or do not get hacked that often. I applaud the work local hosting providers are doing by the way. But u should relook at your prices, they are not justified.

    1. kthaker says:

      unfortunately that is why they are called hackers. they, hack exploit and even brute force their way into something to get access. web hosting, by nature, will always be insecure. i think you might want to read about sony and the playstation network hacks that happened last year, or even wordpress.com’s auttomatic hack last year. these things happen, whether you are ‘secure’ or not. its the reason why software will always have to be updated and patched.i’ve always said, the most secure server or desktop is the one that has no network connection to it, and is unplugged from the power socket. 🙂

      1. Wonder says:

        You look like you are giving in too easily dude!

    2. slackie says:

      a security workshop for clients is a good idea. re: prices they are slightly more expensive in zim because bandwidth is more expensive, and we don’t buy servers in volume, and we have to cater more for power cuts. 

    3. Tsitsi says:

      Those local service providers you are asking to hold workshops are the ones with the sites getting hacked. Do not even mention Ecoweb as we all know what happened to the econet website and we are just reading an article about a Webdev site being hacked.

      1. Joe Black says:

        Like I said in a post above, there’s a massive difference between a CLIENT WEBSITE being hacked, and a HOSTING SERVER being hacked. As a host, you can secure your server all you want, but if the website owner is lax about THEIR (yes, their) security, it’s not on you.

  4. Get your $50 website here :) says:

    hope this was not harrison ford trying to get his point accross to webdev

  5. KuraiMGT says:

    On a lighter note, I was actually thinking Techzim was also compromised by drug pushers when i glanced at an advert on this page about Wonga, on first passive glance, thought it read Whoonga. Living in a whoonga (drug -concortion of ARVs and others) infested land, I thought…….. lol

  6. Tete says:

    You wd be lying to say websites dont get hacked abroad, sony, paypal,amazon,fbi, whitehouse to mention a few high profile websites got hacked and we read about it. If you hosting yo little website selling half eaten mangos then who would want to hack it? Herald is the most popular website in the country im actually surprised it held on for so long without being compromised. Naf respect to local guys putting effort

  7. Anonymous says:

    Web Devs:- have code standards (dont write vulnerable code in the first place)- should have a security checklist before going live with a site- scan their code for vulnerabilities (for .net http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=19968)Hosting provider:- have strict security standards for websites you host. (e.g for known security holes like – file system permissions, cross domain policy etc)- scan all sites before going live, if they dont pass the scan. Only sites that pass can go live [nikto (free), skipfish (free), hpwebinspect (paid), netsparker(paid)]- regularly scan all sites you host for vulnerabilities. (devs, can replace vulnerable code after initial scan)- ensure server has latest updates/patches esp security onesThere are many other things that need to be done to secure a site, some links:>http://googlewebmastercentral.blogspot.com/2007/09/quick-security-checklist-for-webmasters.html >http://www.hotjoomlatemplates.com/blog/joomla-security/25-joomla-15-security-checklist 

    1. Tete says:

      you will still get hacked

    2. Joe Black says:

      Useful contribution. *like*

      1. Madziva says:

        joe we need to know about all those things like sql injection and also how to block those russian, ukraine, chinese IPs which I am sure could be the source of some of the hacks

    3. Madziva says:

      hey dude, we host the same websites internationally and they are not hacked. the servers are secure there from experience and probably are manned by experts who are better and well paid as compared to ourselves.maybe bandwidth is not expensive out there, thus far they invest in securing their clients and their servers. so i do not think it is anything to do with standards. we need a workshop hosted by the local service providers and they let us know those standards and what they expect of us in terms of securing our websites in their hosting environment. in fact with most local servers, you are given a contract and a form or email (webdev) with your login details. nothing more, no house keeping information or brochures etc etc

      1. Joe Black says:

        Fair enough, I believe providers can do more to assist uninformed customers about how to secure themselves.

        But the onus is NOT on your hosting provider to tell you how to protect YOUR website at the code level. The host provides you space and bandwidth – what you do with it (within law) is now up to you.

        As long as their server isn’t being hacked, and their internet connection is up, you have to agree that they have fulfilled their obligation to you!

        If you put up an unsecure site, or change your permissions to allow public write, that’s actually. Your. Fault. You have to take responsibility for your mistake, and before it happens, take responsibility for protecting yourself from possible intrustion.

        It’s like renting a room from me and putting your wifi router in it, so it broadcasts a signal to the world. My room is locked, but if you don’t password protect your wireless signal, anyone walking past can get online.

        🙂

  8. Anonymous says:

    As long as software and websites are being made by human beings, they will be hacked!

  9. Joe Black says:

    Question, and that’s all this is: how many instances of website intrusion / defacement / back-end manipulation etc (read: hacking) can be attributed to inexperienced or unskilled fly-by-night developers?

    By this I mean people unfamiliar with proper permissions, people who implement CMSes without understanding the relevant security best practices, and people who use Joomla components foolishly i.e. slapping them on without security or slapping them on and changing permissions to make them work?

    I’m sure there IS a percentage from this group somewhere.

  10. Harrison Ford, Air Force One says:

    @43130b9cb601b335c9526930d41a8ce6:disqus you are the funniest person here (lol)

    if you do not know why “Get” suggested my name …well i just talked about security issues a few day ago, especially about Sha, and someone from WebDev said i should send a CV if i want to tell them about my security issues/concerns about Sha.

    After a dialogue that was a complete waste of my time, I told the WebDev guy i will not bother to tell them anything and that when a hacking has happened that is when i will come back to say i told you so.

    You can read all about it right here on techzim, read comments on the page:

    http://www.techzim.co.zw/2012/02/zim-finance-ministry-taken-down-after-hacking/

    I only just got on the internet for the first time today right now, and i am laughing and telling everyone about it.

    How i laugh now. I am wriggling on the floor with pain from laughter and plenty of tears of laughter right now.

    You see, i have no computer science degree but i know what i am talking
    about! Even Zuckerberg was not a graduate of Harvard yet when he coded
    Facebook.

    These hackings, in my ,will always keep happening for as long as the Zimbabwean website companies behind them continue with their arrogance which leads to ignorance.

    The guy from Webdev claimed that their Herald site had never been hacked since they took it over which i expressly rubbished as being the gospel. And what has happened now? Just because a site was not hacked under your care, even if that is true, it does not mean it can never, it may!

    How can someone from WebDev then tell me, after offering me a $$ reward if I suggest a security loophole on their site, and i agree, come back and say you should send a CV?

    Heck, what for?

    I can send a security issue to Facebook right now and they will not question me if i am from a Ivy League school. Their own experts will look into what i would have said.

    Fact that i would be required by a big company like WebDev, who built and hosted the now hacked Herald site to send a CV is, to me, testament and testimony that they are short of experts, especially considering that Sha itself is a joomla site with a plug-in and not something they coded themselves.

    Zuckerberg, who coded facebook does not ask people for CVs to tell facebook about security loopholes etc.

    You only ask for CVs if you do not have the experts who can look into the security issues.

    If you just build joomla sites without understanding the code, certainly, you will ask me for a CV to find out if i am a PHP guru, or to convince yourself that i know something.

    If you have your own gurus, if i tell you what the security issues are, then those experts you have should look at what i said rather than ask me for a CV as if i am looking for a job.

    I am not on Sha, and with good reason.

    I still stand by my words that it is not safe and i will not apologize. I will not bow down to threats or pressure. If it means we go to court we can and i can reveal everything answering the judge and it will be in the papers in no time. The whole world will know like in 1 second flat.

    Would you not expect the high-profile Herald to be as safe and secure as “Sha”?

    Like i said before, i leave them to find out for themselves. i will not send any CV. It is none of my business if any of their sites is not safe or secure and i know something.

    In some countries, people post looppholes for the whole world to see, wether they have degrees or not. Maybe it is stuff like that that will wake up some of these web-design
    people.

    I have nothing againt Webdev, in fact, i appreciate their creativity, and i have been to their internet cafe (with a friend – never used it though. Kune yandinoziva inoita $1/hour).

    Already, Webdev is earninga reputation for itself in the league of companies that build sites that are hacked.

    I think i need not go any further except to say of course i expect one of their own to come and be defensive rather than be objective.

    You can never help people like that or suggest anything to them.

    IWILL NOT RESPOND TO ANYTHING ANYONE SAYS. I SAID ENOUGH LAST TIME.

    1. Get your $50 website here :) says:

       MA1

    2. kthaker says:

      Harrison! i was wondering why you were so quiet, i thought you might be raiding someone’s lost ark or something!

      you are right to a certain extent, but i think you need to tone it down a little. your posts are getting a little boring now. these kinds of forums are supposed constructive, however you seem to be quite an angry person about alot at the moment.

      good luck with those crystal skulls dude 🙂

    3. ngth says:

      You really seem to have a grudge against sha… do you feel they stole your idea or something?  Judging by the number of users on sha I cannot imagine it makes Webdev much money, more a community project, and has probably cost a fair bit to develop.  If I was them I would be more concerned with their big earners like classifieds.

      Why do you take such offense at being asked for a CV?  The comment in the other page you linked to asked for a quote or CV, i.e. how much will you charge to fix it and can they see your qualifications maybe there is a permanent job in it for you (though judging by your aggressive reply I doubt there is now).  All they know about you is what you have said in the comments here, not even a real name.

      If you can show them security flaws I am sure they will work with you on them regardless of qualification, but they are a large company and protocols on hiring employees and contractors have to be adhered to.

      Techzim, how about going back to Facebook Comments 😀

      1. Infinisys says:

        Herald hacking was nothing to do with webdev security, js like stock exchange site. 

      2. Harrison Ford, Air Force One says:

        You
        really seem to have a grudge against sha… do you feel they stole your idea or
        something?  Judging by the number of
        users on sha I cannot imagine it makes Webdev much money, more a community project,
        and has probably cost a fair bit to develop. 
        If I was them I would be more concerned with their big earners like
        classifieds.

        If I see a
        neighbour sailing off with a cruise liner I know will sink and I tell him his
        ship is not safe and then he asks me for a engineering degree and even says I
        just do not want him to enjoy himself. Well, he can sail to his death.

        Why
        do you take such offense at being asked for a CV?  The comment in the other page you linked to
        asked for a quote or CV, i.e. how much will you charge to fix it and can they
        see your qualifications maybe there is a permanent job in it for you (though
        judging by your aggressive reply I doubt there is now).  All they know about you is what you have said
        in the comments here, not even a real name.

        I don’t need a
        job there, and not so long ago they were recruiting. If I wanted a job I would
        have said so. I am doing just fine right now.

        If
        you can show them security flaws I am sure they will work with you on them
        regardless of qualification, but they are a large company and protocols on
        hiring employees and contractors have to be adhered to.

        Then they are
        definitely gonna have to do away with those counterproductive protocols.

        Even if we go
        back to Facebook comments, I would still say the same thing. So far I haven’t
        said, or even hinted what their security loophole is even though using a
        character name.

        If I was using my
        real name I would make sure to reveal the whole loophole, and I wouldn’t care
        what happens to them because even my name and reputation would be on the line.
        I would get street cred as the man who showed just how unsafe and insecure ….is
        even without first telling the world my CV. The whole world will believe what I
        tell them.

        And what’s to
        stop me from just posting the entire information about the loophole on another
        blog not Techzim? They should be thankful I haven’t done so.

        ANYWAY, AS LONG
        AS PEOPLE CONTINUE TO ACCUSE ME OF HAVING BEEF WITH WEBDEV AND EVEN WEBDEV
        ITSELF CLAIMS SO, I AM GOING TO KEEP MY MOUTH SHUT AND WHEN SOMETHING HAPPENS I
        WILL SAY I TOLD YOU THE THINGS WASN’T SAFE.

        I CANNOT BE TOLD
        TO SEND A CV TO GET JUST A $1 REWARD. THAT IS NNONSENSE!

        IF YOU READ MY
        COMMENTS, I WOULD HAVE SENT THE INFORMATION IF THEY HAD ASKED FOR IT, BEFORE
        THEY EVEN SUGGESTED “$$”. WHEN ACCUSATIONS OF ME HAVING BEEF WITH WEBDEV OR SHA
        STOP, THAT IS WHEN I WILL SEND WEBDEV THE FINFORMATION, AND FOR FREE. I NO
        LONGER NEED A $1 REWARD AS RECOGNITION. I WILL CONTACT THEM AT MY OWN EXPENSE.
        WEBDEV BETTER FIND WAYS IOF RESPONDING TO QUERIES AND COMPLAINTS FROM PEOPLE
        OTHERWISE ID THEY KEEP BEING DEFENSIVE RATHER THAN BE PRO-ACTIVE, I WILL SHARE
        NOTHING I FIND ABOUT THE GIANT BLACKHOLE I FOUND ON THEIR SITE, OR ANYTHING
        ELSE I MAY FIND.

        I HOPE NOT TO
        HEAR ANY MORE ACCUSATIONS WHEN I HAVE EVIDENCE OF SOMETHING FAULTY WITH THEIR
        SITE.

        LASTLY, I AM NOT
        ON SHA.

        -THIS IS THE
        UNTILMATE END OF THE SHA SECURITY DISCUSSION –

    4. Harrison Ford, Air Force One says:

      You
      really seem to have a grudge against sha… do you feel they stole your idea or
      something?  Judging by the number of
      users on sha I cannot imagine it makes Webdev much money, more a community project,
      and has probably cost a fair bit to develop. 
      If I was them I would be more concerned with their big earners like
      classifieds.

      If I see a
      neighbour sailing off with a cruise liner I know will sink and I tell him his
      ship is not safe and then he asks me for a engineering degree and even says I
      just do not want him to enjoy himself. Well, he can sail to his death.

      Why
      do you take such offense at being asked for a CV?  The comment in the other page you linked to
      asked for a quote or CV, i.e. how much will you charge to fix it and can they
      see your qualifications maybe there is a permanent job in it for you (though
      judging by your aggressive reply I doubt there is now).  All they know about you is what you have said
      in the comments here, not even a real name.

      I don’t need a
      job there, and not so long ago they were recruiting. If I wanted a job I would
      have said so. I am doing just fine right now.

      If
      you can show them security flaws I am sure they will work with you on them
      regardless of qualification, but they are a large company and protocols on
      hiring employees and contractors have to be adhered to.

      Then they are
      definitely gonna have to do away with those counterproductive protocols.

      Even if we go
      back to Facebook comments, I would still say the same thing. So far I haven’t
      said, or even hinted what their security loophole is even though using a
      character name.

      If I was using my
      real name I would make sure to reveal the whole loophole, and I wouldn’t care
      what happens to them because even my name and reputation would be on the line.
      I would get street cred as the man who showed just how unsafe and insecure ….is
      even without first telling the world my CV. The whole world will believe what I
      tell them.

      And what’s to
      stop me from just posting the entire information about the loophole on another
      blog not Techzim? They should be thankful I haven’t done so.

      ANYWAY, AS LONG
      AS PEOPLE CONTINUE TO ACCUSE ME OF HAVING BEEF WITH WEBDEV AND EVEN WEBDEV
      ITSELF CLAIMS SO WHEN I HAVE EVIDENCE OF WHAT I AM TALKING ABOUT AND I CAN PROVE IT, I AM GOING TO KEEP MY MOUTH SHUT AND WHEN SOMETHING HAPPENS I
      WILL SAY I TOLD YOU THE THINGS WASN’T SAFE.

      I CANNOT BE TOLD
      TO SEND A CV TO GET JUST A $1 REWARD. THAT IS NNONSENSE!

      IF YOU READ MY
      COMMENTS, I WOULD HAVE SENT THE INFORMATION IF THEY HAD ASKED FOR IT, BEFORE
      THEY EVEN SUGGESTED “$$”. WHEN ACCUSATIONS OF ME HAVING BEEF WITH WEBDEV OR SHA
      STOP, THAT IS WHEN I WILL SEND WEBDEV THE INFORMATION, AND FOR FREE.
      I NO
      LONGER NEED A $1 REWARD AS RECOGNITION FOR MY SUGGESTION.
      I WILL CONTACT THEM AT MY OWN EXPENSE.
      WEBDEV BETTER FIND BETTER AND PRO-ACTIVE WAYS OF RESPONDING TO QUERIES AND COMPLAINTS FROM PEOPLE,
      OTHERWISE IF THEY KEEP BEING DEFENSIVE RATHER THAN BE PRO-ACTIVE, I WILL SHARE
      NOTHING I FIND ABOUT THE GIANT BLACKHOLE I FOUND ON THEIR SITE, OR ANYTHING
      ELSE I MAY FIND.

      I HOPE NOT TO
      HEAR ANY MORE ACCUSATIONS WHEN I HAVE EVIDENCE OF WHAT I AM TALKING ABOUT.
      AS IT IS, I CANNOT GIVE YOU EVEN A HINT OF WHAT IT IS BECAUSE OTHER PEOPLE WILL EVENTUALLY FIND A WAY OF “ABUSING” THE SITE.
      I HOPE YOU UNDERSTAND THAT. I CANT JUST TELL WEBDEV WHAT THE PROBLEM IS, AND/OR OFER THEM HOW TO MAKE THEIR SITE SAFER, WHEN THEIR EMPLOYEES COME HERE AND BASH ME AND CLAIM I HAVE SOMETHING AGAINST WEBDEV OR SHA. THEY SHOULD DEAL WITH THEIR ATTITUDE FIRST, AND THEN I WILL HELP THEM.
      IT IS ALSO OK NOT TO GET MY HELP, OR SUGGESTION.

      LASTLY, I AM NOT ON
      SHA.-THIS IS THE UNTILMATE END OF THE SHA SECURITY DISCUSSION –

  11. Sam Takunda says:

    Hacking does happen, but the situation is not “that” hopeless: file permissions, updating hastily on zero-day vulnerabilities, waiting for a bit before any updating until it’s considered stable (look what happened to wordpress with timthumb.php last year) and using premium themes/templates which are maintained by their developers if you are not a code monkey.

    If hacking was totally unavoidable in all the possible ways, then there wouldn’t be amazon, paypal, ebay,and Facebook since no one would pay to advertise because hackers will get all your credit card details and order a nuke using them. Yes loopholes will always be there but they can always be sealed if the people behind are willing.

    1. kthaker says:

      most people dont understand that there is a difference between end user web hosting, and hosting for sites like facebook, paypal etc. those major websites do not have to provide FTP, MySQL or anything else to you, except a login page, and a web based platform for you to use.

      they host a single application that can be modified, secured and maintained regardless of you and your needs. they do not need to give you file or database access etc.  

      also, they do not host multiple web CMS’s like wordpress, joomla, drupal and some other php homebrew from different people on the same web server… while providing ftp, mysql, control panels etc to end users who change, update, modify and remove content via CMS backends all the time which really is out of the web hosting companies control.

      ultra secure web hosting is available if you want it… BUT..it will not be cheap, and will be extremely limited in access to an end user who maintains a website. so….sometimes, its really about creating a balance between cost, reliability, performance and overheads.

  12. ngth says:

    While I am not trying to justify shoddy development and hosting work (if this is the case), I think it is important to note that may high profile sites get hacked regularly, just over SOPA anonymous took down or defaced FBI, Motion Picture, RIAA, UFC, SONY etc etc.

    What is important is that the host has monitoring systems and up to date backups and can quickly redeploy the site so business can resume as normal.  Ideally dont get hacked but have a backup plan just in case.

    How long was the Herald offline or displaying these links?  I notice the Zim Treasury site is still offline.

  13. Anonymous says:

    Guys and girls, lets have a clear mind so that we can define who is at fault here. A hosting site is carrier of every site on there servers through virtualisation. To them, a clients website they ar hosting is just like another folder on there servers. What goes on in that folder might not be of there concern as long as it is online and available to the responsible user.

    The virtualised site(read folder) can accumulate as much nusties as it wants and the webhost might not give a toss as long as it confirms to SLA and does not spill into there servers which is very rare.

    Now its upto the website owner to make sure that your site is secure, how you do it is also up to yu.

  14. Harrison Ford, Air Force One says:

    You can secure your site, have the right CHMOD permissions
    for files and folders, have the latest and up-to-date security plug-ins or
    extensions, password protect directories, have a very safe and secured server,
    and still have problems the type of the Herald online. After a long post above,
    I am not going to write another long comment and therefore I won’t get into
    much detail; suffice to say that as long as people cannot understand or write
    code, they will always have problems the type of the Herald online. I have
    found that most of the time, in the cases like that of the Herald online, it is
    the code that is an issue.

Leave a Reply

Your email address will not be published.