Defaced by Mosavi1986

Mosavi1986I bloody pissed today. Not one but two of my sites was defaced by someone or some organisation that goes by the name Mosavi1986. One of the common defaced sites will look like the screenshot on the right. Basically the defaced website will say:

Special Thanks to Nobodycoder
A Hacker from Iran
and a Help with the link pointed to

I did some investigation and soon found that both the sites were on Mambo and Joomla respectively. I took a closer look and noticed that while most of the site structure remains intact and untouched, the configuration.php file was 328kB in site. As far as I could remember, the file should be no more than 4kB in size. I checked my other mambo sites and true enough, sizes varies between 2kB and 3kB.

Now, I am in a rut because I have no backup of my sites. I just assumed that my webhost will take care of that. Boy, was I wrong. Here’s how I recovered my sites:

  1. Copy an existing configuration.php file to my local machine
  2. Edit the configuration.php file to reflect the affected site. Here, typically, you need to set your MySQL data and other site information. Pay attention to the site’s path.
  3. Delete the affected configuration.php file (the one that is 328kB in size)
  4. Upload the edited file to your webhost

Note: if you have forgotten your MySQL password, simply access to your cPanel, delete the MySQL user and re-create again.
2 lessons learnt from this event. First, never set your configuration.php file permissions to 777 or 666. Make sure it’s set to 644. Secondly, backup, backup, backup. You just never know when you need that dreaded file.

If you like this:
  • Digg
  • StumbleUpon
  • Technorati
  • email
  • Facebook
  • Google Bookmarks
  • Print
  • Reddit
  • Twitter


  1. Robin said,

    April 23, 2006 @ 5:33 am

    Great, looks like I got hacked.

  2. TheHanna said,

    April 30, 2006 @ 1:44 am

    My personal website was hacked yesterday, April 28th. This person/organization is a Muslim extremist based in Iran. They took offense to my band’s website, He did no lasting damage though–It’s just more of an annoyance than anything. That leads me to believe it’s one person, rather than an organization, behind this.

    And about the permissions thing: Certain web apps (such as cutenews, a news service that I use on my sites) require you to have your permissions at 777.

  3. Gabe said,

    July 1, 2006 @ 9:22 am

    haha we got hacked as well… simple fix really… .htaccess was set to 777 and he moded it.

RSS feed for comments on this post · TrackBack URI

Leave a Comment

 Subscribe to

Buy Amos A Cup of Coffee

Locations of visitors to this page