Yesterday morning, we got tipped to the fact that some YoAfrica hosted websites had been hacked. It was just 2 websites so we figured it was anything to worry about but we contacted the company nonetheless and told them about it. As the day progressed, a few more people told us their websites had been hacked and checking where they were hosted all pointed to YoAfrica servers. Well, one server in particular. We told YoAfrica through the day of these developments we were getting.
Then, at the end of the day we decided to check which other websites the server hosted and we got quite a list of defaced websites. The following:
creativevictor.com
esa.co.zw
espy.co.zw
exodusandcompany.com
fazakafrica.com
gladercomfreight.com
innovative.co.zw
japafrica.co.zw
japafrica.com
kds.co.zw
labelflex.co.zw
lighthousechapelzimbabwe.org
mcgagric.com
medirite.co.zw
miraclerealestate.co.zw
monterotrading.com
motortorque.co.zw
mytutor.co.zw
pmiz.org.zw
popzim.com/index.php
procureafrica.com
rcz.org.zw
red.co.zw
servcor.co.zw
shockmedia.co.zw
smile.co.zw
stimulusonline.org
thepatriot.co.zw
throbclothing.com
topclassifieds.co.zw
traverzetravel.co.zw
twimbos.com
zimpropertysales.co.zw
All websites were hacked by the same “Turkish” hacker called “ynR” (see screenshot above and below). We submitted the list to YoAfrica this morning when we discovered that the websites remained defaced and active. The sites being active a whole day after we notified them of the first signs of a problem was something of a surprise, and, quite frankly, a worry as well. See, usually when you advise a web host of a hacking issue, you expect them to immediately switch the hacked website off, block the hackers IP addresses, and advise the hacked client to fix the issue.
It’s important to note that not all websites on the server were hacked; in fact the majority of the sites we checked were not. This points to the fact that the hacking is at the site level. Of the hacked sites, the few we checked before publishing this story have been restored, which is great, but if the owners of the sites do not fix the issues, then another surprise lurks in the woods.
Asked for comment on the issue, the YoAfrica sent us the following:
There are constant, multiple attacks on web servers everywhere, particularly on weekends. Websites whose admins have allowed public write access to website files and folders are always vulnerable. This situation usually occurs with free Content Management Systems such as Joomla and WordPress.
Our customers (or their agents) have unfettered access to modify folder permissions to their liking and specifications, and any folder misconfigurations are a result of this access.
We are implementing a monitoring system to assist our clients in making the best decisions regarding folder permissions and security, in the hopes of preventing continued customer vulnerability.
YoAfrica will continue to provide affordable and reliable shared hosting systems, and will endeavour to keep clients, and the tech community at large, aware of security best practices regarding their web applications and folder permissions.
Here’s another screenshot (the second half of the hacked page):
Share
Home
32 comments
Seems some hackers on Xmas leave (from their normal jobs), suddenly have nothing to do with their time…or shld i say they are bored and needless to say, African websites are easy targets…
indeed these guys are targeting african sites they know IT investment is low in African board rooms
ill bet they were all joomla websites, com_jce, com_user or the html editor compromised, and im sure its not the latest joomla version
No actually. Some Drupal & some WordPress
Thanks for confirming that
so i guess its at the server level if its cutting across frameworks, but il still bet it started through joomla and propagated to others, kikiki
l say again YoAFrica servers don’t know how to issue a simple 403 forbidden let alone detect bad robots
The velocity (number of hits p/s ,p/m etc) from the same IP address was flag enough to raise suspicion asi unoudza ani
fixation with joomla-bashing. (shaking my strange head)
agreed, it usually comes from people who don’t understand joomla very well
i know joomla more than anyone in zim, hence citation of com_jce, com_user , i keep up with the trends
what a childish declaration
lol
Please describe exactly the vulnerabilities on the mentioned components and lets see how far u know Joomla
lol, i was js messing with you guys, im not not the best joomla developer, im just the best developer in any language
Thats NAIVE and ILL-ADVISED!!!
L.o.L. – and modest too. Mind sharing your website? I assume it’s the most secure in the country: the rest of us mere mortals could learn a thing or two. 🙂
The lack of urgency they treated the matter with is shockingly unprofessional and to have the audacity of blaming the clients instead of apologizing and rectifying the situation is bad. I have a client whom I advised to change web hosts. This was after receiving poor support pertaining to a hosting issue. Thanks Techzim for covering the article an updating the tech community. I hope YoAfrica improves but, i personally would wait a very long time before i recommend anyone to host with them
come host with Globalping we dont get hacked 🙂 and our rates are better than yo. sales@globalping.co.zw
come host with Globalping we dont get hacked 🙂 and our rates are better than yo. sales@globalping.co.zw
oh wow! cool! u dont get hacked… I bet my hairless bum, you also SPAM very well!
Have you tried your website contact-us form and see what happens???
dude, u not serious!
He doesnt get hacked he get suspended. How come your own website is suspended? You cant even pay your own hosting bill?
Used to host with yoafrica, each time they where hacked they would blame joomla, fun enough most of my sites heacked where plain html. so I MOVED OUT. they got many issues but in most cases they blame clients. word of advise, anyone in need of serious hosting, consider going international, it will save a lot of talking talking…
dude, you will still get hacked on international, worse still some of em like go daddy will js kwachura yo site and tell you to go hang coz your compromised site migh affect others, no back up, no sorry
You can try us as http://www.mega24.co.za
Fortunately ever since I moved there was never any hacking experience. 3 years no hacking no what, if there is any security issue they inform me in time to fix it friendly, They had never blamed me on anything, lots of discounts with SUPERIOR service and support. Anytime I want help I go to their live chat but with yoafrica you will be told until the right guy comes in and sometimes it seemed the right guys are part time etc. At the end of the day, it is business and the choice remains with the developers and clients. Those who feel they are having a great service let them use it and those think otherwise are free to move. Also same with airing your opinions.
I checked most of the sites and I noted that most of them have not been compromised. One or a few sites on the server were actually hacked and the host IP 196.44.176.55 was blacklisted. Its unfortunate that some innocent clients would have to suffer until YoAfirca applies for whitelisting of this IP. All having said, YoAfrica has to up their game when it comes to security.
blaming file and folder permissions. rookie move there yoafrica!
It will likely be poorly maintained websites so scripts/frameworks out of date (not updated) and then coupled with what seems a lack of proper security config on YoAfrica’s part to blame – the fact that users are needing to give world write permissions in the first place suggests YoAfrica are making some fundamental mistakes with there hosting platform
I manage websites and infra for a living and i were to even behave remotely like YoAfrica, i would be out of business very quickly – Seems there customers need to vote with there wallet – unfortunately my guess is that most of those hacked dont know much about internet security and will believe what YoAfrica tell them
Truth of the matter is website owners forget that a website is a work in progress. People don’t set aside budgets for website maintenance so they sites are set aside after they are done that’s why they fall into these problems. Even if you don’t service your car, it will pack up one day.