A Joomla vulnerability allows the hacker to deface a Web hosting company's customers in one single go

Feb 13, 2016 23:30 GMT  ·  By

Tobitow, a member of Team Hack Argentino and Anonymous Argentina, has exploited a vulnerability in the Web hosting service of Webafrica and defaced 2,532 South African websites.

This mass defacement is part of #OpAfrica, an Anonymous social campaign that aims to bring to attention the situation of child labor and government corruption in African countries.

The campaign started through hacks against the Rwanda and Uganda governments. Then, there were the hacks against a South African job portal, and eventually the South African Government Communication and Information System (GCIS).

Hacker targeted only one Web hosting company's customers

On Friday, February 12, the previous Anonymous hackers were joined by Tobitow, who apparently discovered a problem with the shared hosting service provided by Webafrica and took advantage of this issue to deface thousands of websites with a message supporting the #OpAfrica campaign, despite being from Latin America.

Webafrica call center employees confirmed the incident to local South African tech news site MyBroadband.

Right after the hack, Tobitow started posting links to all defaced websites on his Twitter account, but eventually got bored and dumped about 600 of the URLs in a CryptoBin paste.

South Africa's CSIRT team issued a national alert

Another local South African tech news site reports that the Computer Security Incident Response Team of South Africa (ECS-CSIRT) has even put out an official advisory about the incident, warning system administrators against the ongoing attack. At the moment of writing this article, the advisory has been removed from ECS-CSIRT's website, but htxt.africa took a screengrab.

"The NC - CSIRT team is alerting all organs of State to pay special attention to public facing websites and databases," the ECS-CSIRT advisory reads. "The methods used are SQL injection and Website defacement on unpatched server operating systems."

Softpedia has contacted Tobitow to inquire if he accessed or stole any user information from the breached websites or from Webafrica's database. We'll update the article if the hacker wishes to provide these details.

A peculiar thing about this campaign is that Tobitow used a custom-made image for the defacement message, one that Softpedia put together to promote one of our previous articles.

UPDATE: Tobitow has told Softpedia that the ECS-CSIRT advisory is wrong and that he used a Joomla vulnerability to access all the defaced websites, not an SQL injection. Additionally, the hacker has also revealed that he did not steal any of Webafrica's customer data or anything from the defaced websites.

"[W]hat matters here is the message that reaches people around the world not only to the websites of sudrafica and africa [sic]," Tobitow told Softpedia.  

Webafrica hack (3 Images)

Defacement message left on all the sites
Part of the list of defaced websitesECS-CSIRT official advisory
Open gallery