In mid-February, hackers were able to access several websites hosted on one of Afrihost’s shared hosting servers, and started defacing them.
Calling themselves Y3AR6.ORG and Myrido on the Mirror-H hack reporting service, the attackers appear to have targeted the server since 17 February – when they defaced six sites.
The server in question has the IP address 126.96.36.199, which hosts 524 domains according to ViewDNS.
Initially, the attackers uploaded a calling card to the sites they hacked – a page that mocks the “system administrator” for their poor security.
Defacements continued until 25 February, using the same calling card with the message: “WuRKâC-TéâM // HaCKeD MyRido”.
Fresh wave of attacks
The attacks stopped until 23 March, when the hackers returned to deface several sites by changing their title tags to malformed text.
On a handful of sites, the hackers wiped the home page and left a message in text: “HACKED MYRÝDO KARAHAN KARTALÝ – MYRÝDO – BY_AGENT – BY_UMUT CONTACT: www.facebook.com/zbay11”.
Mirror-H reports that the Afrihost server was hit 197 times. In total, 83 unique domains were hit over the course of five weeks.
Afrihost’s server was not hacked
Afrihost said it is important to distinguish between a server being hacked and a website being hacked.
“Our server was never compromised,” said Afrihost.
“We are investigating the specifics of the reported website intrusions, but can confirm that most, if not all, of the sites that were compromised were WordPress sites.”
Afrihost said its sets WordPress installations to force automatic upgrades.
“However, this only affects the WordPress core. All the sites we’ve checked have on average over five updates available for plugins and themes,” it said.
“We suspect that is the point of intrusion.”
Afrihost said it does its best to scan for compromised sites and generally it becomes aware of them before clients do.
“However, we do rely on clients to work with us to report any compromised sites so that we can quarantine them and minimise the risk to other clients in the same environment.”