Thanks to either luck, skill, or the sheer bravado of the person(s) who hacked my site, I was able to track them down after just a few minutes of searching.

First off, after reviewing the logs it was quite apparent that the attackers did not root my server, just my Wordpress installation. They had repeatedly attempted to upload images using the Wordpress upload function, not realizing that I had not setup the upload directly on my server for a reason (I use flickr for image hosting).

So denied in their quest to upload images, they created a post and linked to an image on an external site.

This is how my site looked when it was defaced:

Now here is where the luck/bravado comes in. The image linked to a Kazakhstanian forum for parkour, of which I’m a huge fan. Despite the site being in Russian, it was powered by phpbb, so if you’ve created an account on one phpbb site, you’ve created one on all of them. From that point, it took just a few seconds to find the user whose picture profile matched the one on my site. Again thanks to the uniform structure of phpbb, I was able to figure out how to email the user who I thought defaced my site.

After a few back and forths, I presented him with my evidence about the hack. The IP of the machine he was emailing me from was not in the same Class C of that of the attackers, the attacker(s) came in from 88.204.203.88 & 88.204.174.118, both in the same Class C, both originating from a city in Kazakhstan named Pavlodar. The IP of the person I contacted was located in Almaty.

In any case, some would argue why I contacted the would be hackers and tried to be so open and non-threatening. Well I personally subscribe to the sort of methods that Steve Gibson used when his site was DOS’d a few years ago.

In short, he reached out and politely asked how they did what they did, and made it clear he wasn’t out for revenge, just knowledge. A lot of hacks and viruses are made in an attempt to highlight security failings. Sure some people are just out to vandalize so they can show off to their friends.

So which ones was my defacer? A white hat? Black Hat? The latter sadly. While I am not sure whether I believe the person I spoke to, here was my last meaningful reply:

At present I know three person from Pavlodar. Hacking of yours blog has been made by them because they have enough experience and knowledge for this purpose. They not my friends. They are competitors of our parkour-command.

I shall inform them that their actions were wrong and I shall ask to give the information on that, how they could hack yours blog. But I doubt that they will agree to give this information.

Some could debate the wisdom of tracking down the people who rooted my site. I still think I was/am justified. If I found the right person, could I have gained their respect? Doubtful. But I at least had a chance to possibly learn something in the process.