Yesterday morning, we got tipped to the fact that some YoAfrica hosted websites had been hacked. It was just 2 websites so we figured it was anything to worry about but we contacted the company nonetheless and told them about it. As the day progressed, a few more people told us their websites had been hacked and checking where they were hosted all pointed to YoAfrica servers. Well, one server in particular. We told YoAfrica through the day of these developments we were getting.
Then, at the end of the day we decided to check which other websites the server hosted and we got quite a list of defaced websites. The following:
Lenovo ThinkPad T460
Vehicle Diagnostic Interfaces and Softwares
Rarely Used 2019 SE2719H Dell Monitor + Gaming Mechanical Keyboard
Acer extensa 2519
All websites were hacked by the same “Turkish” hacker called “ynR” (see screenshot above and below). We submitted the list to YoAfrica this morning when we discovered that the websites remained defaced and active. The sites being active a whole day after we notified them of the first signs of a problem was something of a surprise, and, quite frankly, a worry as well. See, usually when you advise a web host of a hacking issue, you expect them to immediately switch the hacked website off, block the hackers IP addresses, and advise the hacked client to fix the issue.
It’s important to note that not all websites on the server were hacked; in fact the majority of the sites we checked were not. This points to the fact that the hacking is at the site level. Of the hacked sites, the few we checked before publishing this story have been restored, which is great, but if the owners of the sites do not fix the issues, then another surprise lurks in the woods.
Asked for comment on the issue, the YoAfrica sent us the following:
There are constant, multiple attacks on web servers everywhere, particularly on weekends. Websites whose admins have allowed public write access to website files and folders are always vulnerable. This situation usually occurs with free Content Management Systems such as Joomla and WordPress.
Our customers (or their agents) have unfettered access to modify folder permissions to their liking and specifications, and any folder misconfigurations are a result of this access.
We are implementing a monitoring system to assist our clients in making the best decisions regarding folder permissions and security, in the hopes of preventing continued customer vulnerability.
YoAfrica will continue to provide affordable and reliable shared hosting systems, and will endeavour to keep clients, and the tech community at large, aware of security best practices regarding their web applications and folder permissions.
Here’s another screenshot (the second half of the hacked page):