A few days ago I got a tweet that my personal blog was hacked. I checked it out and found an animated Turkish flag and some text where my blog used to be. My hosting company had already noticed what had happened and only minutes later everything was back to normal again.
The WordPress install that I used on my personal blog turned out to be old and vulnerable. The hacker had managed to replace my private emailaddress with a temporary hotmail address and used that to gain access and replace my index.php file.
At first I shrugged it off and was ready to forget about the whole thing but then I decided to email the hacker and ask for an interview. I was wondering why he picked my blog, what his goals were and why he used that turkish text and flag.
I didn’t expect any answer but within a few hours the hacker replied and agreed to an interview via MSN.
Here it is, verbatim:
Sorry, was busy for a moment there. So how are you today?
Fine and youy?
Very good. Can U ask you a few questions about hacking my blog? Will use it for a blogpost on TheNextWeb.com
Yes you can
Cool. First: how did you do it?
Well, I used a vulnerability to bypass the admin account.
A vulnerability in an old version of PHPMyAdmin, right?
No in the wordpress itself.
Really? Cool. And that allowed you to reset the master emailaddress?
So how did you find out my blog was vulnerable and why did you pick my blog?
Well, I just searched with google some blogs and I found yours.
You searched for blogs running older versions of WordPress? There must me millions of those right?
Yes, but they are not all vulnerable and I didn’t hacked just your website.
Ah, so how many websites do you hack a week and how many have you hacked in total?
Well, in total I don’t know but in a week if I have time I can hack a maximum of 50 thousand website, it depends if I found a vulnerability or not.
50,000 websites??? Amazing! So why do you do it?
Well, we are a hacking team so we do this to protest against somethings, for example the last month I think there was a genocide agains the Uygurs in the west of China and we just hacked around one thousand websites of the chinesse government.
Our web page is: www.ayyildiz.org
On my website you replaced my blog with a Turkish text (which i couldn’t read) and an animated GIF of the turkish flag, right? What was that for?
Well, it was a power demonstration operation against our ennemies so that’s it.
Enemies? Who are your enemies then? Are they Turkish?
Well, we have a lot of ennemies, our bigest ennemies are Russian hackers and Brazilian hackers.
How much traffic or attention does it get you to hack blogs? I mean, it seems not so effective to go through all the trouble of hacking blog and then displaying a message that only Turkish people can read, right?
Yes, of course your right, but it was because of a power demonstration, we hacked the United Union this year and there was a message to them, if you want you can search about it, I saw it in the European press.
Okay, that sounds like you could learn a lesson in marketing if you ask me. If I would hack 50,000 blogs a week I would make sure to have a multi-language message there, a link to my website and a cool design. Next question: do you know how long blogs stay hacked on average? My host restored my blog within the hour and I’m wondering how long it generally takes before blogs get restored?
Well, it depends, in general it takes 2 or 3 days.
Do you have a link to a blog you hacked this week that hasn’t been restored yet?
Wait a moment I will look.
There is one I think: http://www.serviaduanas.com/
Are you ever ashamed or burdened for causing so many people so much trouble? I’m sure you really ruin some peoples day, or even week, with this. Doesn’t it ever bother you?
Well :D, actually if I don’t hack those websites some other people will find the vulnerability and hack it so I don’t think about it. But yes I know it ruins some peoples day because I had also I website hacked.
That really isn’t a good excuse right? You can always make the personal choice not to do it. Just because some people steal doesn’t mean you have to do it too? But okay, next question: how old are you?
I’m 17 years old.
What are your plans for the future?
Well, I’m a student and I’m in the economie section of my school, in the future I would like to be a broker or something like that but I won’t stop hacking because it’s just like a game for me.
A game that could get you jailed and annoys a lot of people? Next question: You mentioned that you were surprised that I contacted you. Why? How many people contact you when their blogs get hacked?
Well, generally if somebody contacts me he or she just insults me and his or her situation becames more bad. So yes I was surprised to be contacted for a short interview.
I see, and if they insult you you take that as an invitation to hack them again?
There’s an article about the UN but it’s Turkish: http://www.haberturk.com/haber.asp?id=161133&cat=180&dt=2009/07/27
Well, yes and sometimes I just bomb their e-mail account so that they can’t use it more.
You sounds like a skilled hacker. Don’t you think you could use those skills for more interesting stuff? Like starting a company online or working as a developer?
Yes, of course I think I can start a company but for starting a company we need time and that’s the biggest problem, as I’m a student I have to study.
But you do find the time to hack 50,000 websites a week? :-) So, thank you for your time. Is there anything you would like to tell me or our readers?
Well, I thank you too for spending your time and no I don’t want to say something special to your readers.
Well, I do have one last request: please don’t hack me anymore…