Hacked after selling a site on Flippa

[Xyphien]

I sold DiscordPromote.com on Flippa. Once the auction ended for $150 the person never messaged me back, and then I just looked at the site and everything has been deleted other than "GO FUCK YOURSELF BROTHER !"

They also just updated their site so I can't see the old data, or see who that user was. Long story short, I won't be using Flippa again to do any selling.

 

[Jordan]

Did you transfer ownership of everything before receiving the funds? 😵

 

[Page]

Once you received the money and the site moved over to an new set of hands then it's pretty much out of your hands then. But it's very sad to see that happen. So what the flip happen then huh? someone doesn't like someone or the new guy doesn't like it anyway.

I think that even if you sold it and transfer the content over is to also have backups

 

[Katrina]

I'm assuming the Buyer did not pay you? Can't you get Flippa involved? Did you have any written agreement besides the actual sale on the site?

 

[mav3n]

Being in infosec, primarily ethical hacking, this doesn't sound like hacking. Sounds like you sold a website to another party and that party decided to deface the website themselves? If you transferred ownership before receiving funds, it's still not hacking as they have the wwwroot contents. People throw around the word hack like it's candy.

 

[Ghost]

I sold DiscordPromote.com on Flippa. Once the auction ended for $150 the person never messaged me back, and then I just looked at the site and everything has been deleted other than "GO FUCK YOURSELF BROTHER !"

They also just updated their site so I can't see the old data, or see who that user was. Long story short, I won't be using Flippa again to do any selling.

This doesn't seem like an issue with Flippa. Flippa is a great marketplace
Did you give him access to the domain / hosting before they paid you... ?
You also show that you're using WordPress 4.9 on the Flippa auction, but 4.9 has a bunch of known security vulnerabilities - especially if you let the bidder into the dashboard (even as a normal user).

If you want I can dig around in apache logs & other server logs to try to grab an IP address to compare to on your other forums and FP (if Cam or Joshua is willing to help).

 

[mav3n]

This doesn't seem like an issue with Flippa. Flippa is a great marketplace
Did you give him access to the domain / hosting before they paid you... ?
You also show that you're using WordPress 4.9 on the Flippa auction, but 4.9 has a bunch of known security vulnerabilities - especially if you let the bidder into the dashboard (even as a normal user).

If you want I can dig around in apache logs & other server logs to try to grab an IP address to compare to on your other forums and FP (if Cam or Joshua is willing to help).

If you let the bidder into the dashboard, they probably created a new template, included a malicious payload that will run at page load and sent themselves a reverse shell. From there, they have free range of the web server. I believe that version of Wordpress is vulnerable to an LFI attack, which will allow reading of files (config files since this is WP) that shouldn't be public ally available.

I would attempt to help out on the offsec side, but I am limited by ethics and RoE.

 

[Shannon Apple]

So, you didn't get paid? Never hand over anything, not even a limited admin account, without securing payment first.

The most important thing is to keep a backup of your site as well just in case something goes wrong. People could dispute payment, and/or act like douchewaffles in some other way, even after everything has been handed over legitimately and securely. A backup protects you. At the very least, in those cases, you can probably get your domain recovered and use the backup to restore the site.

EDIT: Just read the above two responses about a possible malicious attack. =(

 

[Ghost]

So, you didn't get paid? Never hand over anything, not even a limited admin account, without securing payment first.

The most important thing is to keep a backup of your site as well just in case something goes wrong. People could dispute payment, and/or act like douchewaffles in some other way, even after everything has been handed over legitimately and securely. A backup protects you. At the very least, in those cases, you can probably get your domain recovered and use the backup to restore the site.

EDIT: Just read the above two responses about a possible malicious attack. =(

Yeah, @Xyphien you should also ask your host if they have an automated backup you can restore from. Some hosts do provide this service for 1-30 day recoveries.

 

[Xyphien]

Did you transfer ownership of everything before receiving the funds? 😵

It got hacked before all of that. They guy never messaged me back, after he won he fell off the face of the earth. I went on vacation that week and kept messaging him and nothing. When I came back all I saw was "GO FUCK YOURSELF BROTHER !"

Once you received the money and the site moved over to an new set of hands then it's pretty much out of your hands then. But it's very sad to see that happen. So what the flip happen then huh? someone doesn't like someone or the new guy doesn't like it anyway.

I think that even if you sold it and transfer the content over is to also have backups

Never received the money. Flippas new thing is wonky and doesn't make since. Sooooo I lost all my stuff, they took it and I'm out of the money.

I'm assuming the Buyer did not pay you? Can't you get Flippa involved? Did you have any written agreement besides the actual sale on the site?

I messaged them, and they LITERALLY just replied back. I sent them a message before I made a post on here. Talk about poor customer support...

Being in infosec, primarily ethical hacking, this doesn't sound like hacking. Sounds like you sold a website to another party and that party decided to deface the website themselves? If you transferred ownership before receiving funds, it's still not hacking as they have the wwwroot contents. People throw around the word hack like it's candy.

"the gaining of unauthorized access to data in a system or computer." Yeah no, they got the files, put the gfyb message, and never paid me. All without me transferring any files over to them. Seems like unauthorized access to me.

This doesn't seem like an issue with Flippa. Flippa is a great marketplace
Did you give him access to the domain / hosting before they paid you... ?
You also show that you're using WordPress 4.9 on the Flippa auction, but 4.9 has a bunch of known security vulnerabilities - especially if you let the bidder into the dashboard (even as a normal user).

If you want I can dig around in apache logs & other server logs to try to grab an IP address to compare to on your other forums and FP (if Cam or Joshua is willing to help).

Too late now. I counted my losses and deleted the whole service. Every website on that host was wiped because of it, and nothing was left. I went on vacation that week so my host didn't have any backups past the week. I said screw it and let everything go.

Yeah, @Xyphien you should also ask your host if they have an automated backup you can restore from. Some hosts do provide this service for 1-30 day recoveries.

They only do a week sadly. They did it, and everything was still gone. So I counted my losses and just shut everything down.

 

[Page]

Ohhh rip, they are ways to get payback but since you like removed and whip the system then there isn't much I can think of that you can do, it's not like you have records of activities. Then again your host/servers does have logs

 

[mav3n]

"the gaining of unauthorized access to data in a system or computer." Yeah no, they got the files, put the gfyb message, and never paid me. All without me transferring any files over to them. Seems like unauthorized access to me.

I got the idea of what hacking is, I am well aware of what it entails. However, you never stated that in your original post. In the OP, you made it sound like you were selling the website and then it was defaced. That left it for interpretation that you shared credentials before the sale was final, hence Jordan, myself, and Ghost asking if you did.

I guess there were many lessons to be learned here, most of them the hard way.

I would assume they took advantage of a known exploit in your WP installation and got wwwroot access and was able to deface from there. Hopefully other services weren't running, like MYSQL or something that could also have been exploited.