Virtualpetlist.com p0wned, But Recovering
The following is a guest post by Carlos Andrade, owner of virtualpetlist.com, who is still recovering from a webmaster’s worst nightmare: a hacked website.
Hello everyone,
Here is a story I’d like to share with you guys and I hope you guys can relate to it and learn a few things as well.
I’ve trusted someone over the years to help me administer our server, however; in June of 2009, this person decided to screw us over. Not only did he wipe-out our backups, he broke into our email accounts, stole our domain names, hacked my PC, and stole our hosting account (with ThePlanet). Taking over our server and website was not enough. My passwords were saved in notepad file on my PC which he was also able to take control of, giving him control of my gmail accounts, one of which was associated with my Google Adsense account. It turns out my PC was easily hacked via Windows Remote Access, no firewall, and “easy” passwords.
After this incident occurred the virtualpetlist.com community thought that we sold out, see VPL hacked?, and we were faced with a decision of getting the site back online or giving up and staying down. I wanted to stay down because my personal life was in a shambles (got in a car accident and lost it all) and things were piling up on me faster than I could handle.
After talking it over with one of my fellow administrators (also, co-owner, EBK) we decided to not only to get back online, but to fight-back. With the help of our user-community we compiled the evidence against our little wanna-be hacker Haywire, and we submitted it in to the FBI via IC3.
“Easy” passwords like fjvjvd1kfkw will not work on today’s internet. You need passwords that contain symbols such as; 223jd%%#<>*@sD, the harder the password, the harder it is for someone to break in and steal your information. Also, do not ever give out your server passwords to anyone and be very selective of who you trust to work on your system.
I thought I was safe, but I wasn’t. I thought my website was safe, but it wasn’t. So, remember fellow webmasters: Only trust your real friends and use good passwords!
Thank you for giving me the opportunity to speak my mind Randy!
Regards,
Carlos Andrade (cpvr)
____________________
About Carlos:
Carlos Andrade (AKA “cpvr” and “ForgottenCreature”) is webmaster/owner Virtualpestlist.com and has also owned other websites such as “Myspace Hun” and “Virtual pets blog”.
If you are interested in submitting your own guest post (and getting some free link-love), send a request via my contact-page.
One can never be safe online, really. Hackers are finding more and more ways to get personal and confidential information, to the detriment of the users. We should all be vigilant and try as hard as we can to ensure the security and safety of our data. Your tip on passwords is definitely useful. Good luck with your fight against Haywire!
i thought i was being paranoid by using more than 20 digits password
this post really helps and assure me that i was in the right track about interwebs security
Do you know what lesson I am learning from reading that post? Don’t trust anybody to help you with your blog or site because they will screw you over.
Since he’s mentioned by username, I’d like to help clear their name and say that I’m 75% sure the ‘hacker’ was not guilty. After years of loyal service, most server admins don’t just decide to betray a site for no apparent reason.
I strongly believe that a third-party was involved and hope that their identity is discovered as soon as possible. This way, the matter can truly get resolved and VpL can return to normal.
Anonymous: logs don’t lie and stolen identity doesn’t account for anything. Was done by one guy and we can’t provide more evidence due to the legal front on this issue.
I’m beginning to seriously think that this hacking was staged for publicity.
Not staged. Why would I stage it? My email accounts, everything was stolen.
Zander Schmautz”, he stays in Vancouver, BC.
His brother is “Ryan Schmautz”, and also stays in Vancouver, BC.
They still in Canada, but I’m just waiting on an email back from the FEDS.
And why would I waste my time to launch back on them? http://www.virtualpetlist.com/blog/2009/07/virtual-pet-list-addresses-verpets-ownership/
http://www.virtualpetlist.com/blog/2009/07/virtual-pet-list-addresses-verpets-part-2/
Surely enough, he was using our evidence thread as a backbone, so we removed it from the public – and also sent google’s legal team messages regarding this guy.
You don’t destroy my accounts, and my community and expect me to fail and bow down, do you?
Similar things have happened in virtual pet sites when an owner wants to relaunch a website…
Also, I think “http://adoptpetsonline.com/boards/general-chat/8-controversy-virtual-pet-list.html” describes the situation very well.
Here is more information virtual pet list’s press release