Register

If this is your first visit, please click the Sign Up now button to begin the process of creating your account so you can begin posting on our forums! The Sign Up process will only take up about a minute of two of your time.

Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
Like Tree1Likes

Thread: How to hack a site... for a client?

  1. #1
    Senior Member RDesignista's Avatar
    Join Date
    Feb 2012
    Location
    Coconut Tree City
    Posts
    822
    Member #
    30921
    Liked
    123 times

    How to hack a site... for a client?

    Hi everyone,

    I know the title sounds shady, but I assure you, this question has good intentions.

    A client of mine hired a web design firm to make a site. Well, that firm went out of business. They did not tell my client and they are not answering any emails or phone calls. I took a look to try and salvage things, but we have no domain logins, no webhost logins, no main admin logins, and the entire site is registered under the web design firm, not my client, so we can't even try to repossess the site.

    So... I am thinking the website is screwed... but I do know that it's Wrdprs. Wrdprs of course has some security vulnerabiilties by default that make them a target of brute force attacks (I won't divulge these details here). Unless the web designers took some safety precautions, I understand that I could try a brute force hack on the login screen.

    My question is this: any of you know how to brute force hack a website? I know it sounds like a horrible question, but I promise you that it's for a good cause, kind of like hot wiring someone's motorcycle when they lost their keys.

  2.  

  3. #2
    WDF Staff mlseim's Avatar
    Join Date
    Apr 2004
    Location
    Cottage Grove, Minnesota
    Posts
    7,715
    Member #
    5580
    Liked
    717 times
    I don't have the knowledge to hack WordPress, but I agree, there is probably a way.

    My post here is to point out a lesson for all of those developers and clients out there. If you are a business and have a website, you need to be the owner of your site. You can own the hosting account, domain name and everything, even if you know nothing about web design or development. You can hire someone to develop your site, but you still need to have total control. Don't let any developer or design company tell you that they need to host it for you.

    I really don't have much sympathy for the client that the OP is describing. They will probably have to start over again, and most likely will have to come up with a new domain name. Hopefully they can get a hold of at least one person in the design firm that will save them ... we'll see.

    I'm glad RDesignista posted this story ... it will help a lot of businesses in the future.


  4. #3
    Senior Member RDesignista's Avatar
    Join Date
    Feb 2012
    Location
    Coconut Tree City
    Posts
    822
    Member #
    30921
    Liked
    123 times
    Mlseim,

    Well, I wasn't really sharing a lesson... I was just asking people to teach me how to hack a site

    You're absolutely right thouhg. I make it a point to send all the credentials to clients when I finish their project. I also suggest to them all that they register their own domain and get webhosting JUST IN CASE. Web companies bail without warning (like in my clients situation) and webmasters die (a guy in Hawaii committed suicide several years back and no one had credentials except him!) and some people just do shady things or act out on personal grudges and delete everything (another client of mine). So, it's always best to approach websites like chess - think a couple steps ahead.

  5. #4
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    What Max said, although I do have some sympathy for the client. Since control begins and ends with the domain name, developers should never register a domain name for their clients. That should always be owned by the client, and while a client should be aware of it (so a bit of blame there), this is ultimately on the developer. Hosting is a bit different, though...I host several of my clients' sites, but that's because I want to make sure they're up, and I also back them up every 12 hours...so they have a lot more stability and security than they would have otherwise.

    There is, however, a possible way to get the domain back. I can't promise it will work, but I can promise that it is legal, doesn't require a hack, and that it has worked for three of my clients in the past. You need company letterhead and a fax machine (or some other way to send a fax) to pull it off, though, which is strange but true.

    Here's what you do:

    1) Contact the registrar and explain the situation with the domain.
    2) The registrar will likely ask you to send in a fax on company letterhead signed by a company signing authority (the president / owner is the best option) explaining the situation and indicating who the correct owner is (company, contact name, contact email, etc.) Make sure to include some form of photocopied or scanned government ID (driver's license is the best).
    3) Prepare the fax, send it in, wait, and hope for the best.

    The registrar may have an example of a template you need to follow online as well. Apparently MediaTemple does, although they're a host so I don't know why they would. This will give you the general idea, though.

    http://mediatemple.net/company/legal...nOwnership.pdf

    This may work for your host as well, although I've never tried it. If it doesn't and you get the domain back, at least you've got an established domain to work with, and that beats using a whole new site. If you have to pick between "accessing domain" and "accessing site", "accessing domain" is definitely the way to go. You can always use something like HTTrack to get the pages off (assuming it's a straight WP site and doesn't have any form customizations, ordering processes or things like that) and then rebuild them with the exact URL structure on the domain. But get the domain first.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  6. #5
    Senior Member Ronald Roe's Avatar
    Join Date
    Mar 2011
    Location
    Oklahoma City
    Posts
    3,141
    Member #
    27197
    Liked
    959 times
    If the client's account on the WP install has access to install plugins, install Duplicator. It'll create an archive of the site, plus an installer. It's what I use to locally dev a site and push it live. Might work for you if you're able to install plugins.
    Ron Roe
    Web Developer
    "If every app were designed using the same design template, oh wait...Bootstrap."

  7. #6
    Senior Member RDesignista's Avatar
    Join Date
    Feb 2012
    Location
    Coconut Tree City
    Posts
    822
    Member #
    30921
    Liked
    123 times
    Quote Originally Posted by Ronald Roe View Post
    If the client's account on the WP install has access to install plugins, install Duplicator. It'll create an archive of the site, plus an installer. It's what I use to locally dev a site and push it live. Might work for you if you're able to install plugins.
    Oooh.... I forgot to mention that my client's admin account is a dumbed down version. I'm not sure how they modified it, but we have very limited access - I can't even touch the CSS files.

  8. #7
    Senior Member RDesignista's Avatar
    Join Date
    Feb 2012
    Location
    Coconut Tree City
    Posts
    822
    Member #
    30921
    Liked
    123 times
    Quote Originally Posted by TheGAME1264 View Post
    What Max said, although I do have some sympathy for the client. Since control begins and ends with the domain name, developers should never register a domain name for their clients. That should always be owned by the client, and while a client should be aware of it (so a bit of blame there), this is ultimately on the developer. Hosting is a bit different, though...I host several of my clients' sites, but that's because I want to make sure they're up, and I also back them up every 12 hours...so they have a lot more stability and security than they would have otherwise.

    There is, however, a possible way to get the domain back. I can't promise it will work, but I can promise that it is legal, doesn't require a hack, and that it has worked for three of my clients in the past. You need company letterhead and a fax machine (or some other way to send a fax) to pull it off, though, which is strange but true.

    Here's what you do:

    1) Contact the registrar and explain the situation with the domain.
    2) The registrar will likely ask you to send in a fax on company letterhead signed by a company signing authority (the president / owner is the best option) explaining the situation and indicating who the correct owner is (company, contact name, contact email, etc.) Make sure to include some form of photocopied or scanned government ID (driver's license is the best).
    3) Prepare the fax, send it in, wait, and hope for the best.

    The registrar may have an example of a template you need to follow online as well. Apparently MediaTemple does, although they're a host so I don't know why they would. This will give you the general idea, though.

    http://mediatemple.net/company/legal...nOwnership.pdf

    This may work for your host as well, although I've never tried it. If it doesn't and you get the domain back, at least you've got an established domain to work with, and that beats using a whole new site. If you have to pick between "accessing domain" and "accessing site", "accessing domain" is definitely the way to go. You can always use something like HTTrack to get the pages off (assuming it's a straight WP site and doesn't have any form customizations, ordering processes or things like that) and then rebuild them with the exact URL structure on the domain. But get the domain first.
    Thanks for the advice. My client has pretty much given up hope at this point, but I'll forward them the instructions if they still have hope of recovering it at all. They have an admin login, but it's a dumbed down one, so we can't touch any plugins, CSS files, or do anything other than edit pages.

  9. #8
    Unpaid WDF Intern TheGAME1264's Avatar
    Join Date
    Dec 2002
    Location
    Not from USA
    Posts
    14,485
    Member #
    425
    Liked
    2783 times
    Well, when you've all but given up hope, you might as well throw a Hail Mary and see what happens.
    If I've helped you out in any way, please pay it forward. My wife and I are walking for Autism Speaks. Please donate, and thanks.

    If someone helped you out, be sure to "Like" their post and/or help them in kind. The "Like" link is on the bottom right of each post, beside the "Share" link.

    My stuff (well, some of it): My bowling alley site | Canadian Postal Code Info (beta)

  10. #9
    WDF Staff AlphaMare's Avatar
    Join Date
    Oct 2009
    Location
    Montreal, Canada
    Posts
    4,570
    Member #
    20277
    Liked
    878 times
    Who is the registrar? I had a client whose previous designer bailed and would not answer e-mails or phone calls. The domain was registered with GoDaddy. They have a process that you can follow to regain control of the domain. FIND IT HERE
    TheGAME1264 likes this.
    Good design should never say "Look at me!"
    It should say "Look at this." ~ David Craib


    http://digitalinsite.ca ~ my current site . . info@digitalinsite.ca ~ my email

    If you feel that someone's post helped you fix your problem, answered your question, or just made you feel better, feel free to "Like" their post. The "Like" link is at the bottom right of each post, along side the "reply" link. And if you are being helped here, try to help someone else - pass it on!

  11. #10
    Senior Member RDesignista's Avatar
    Join Date
    Feb 2012
    Location
    Coconut Tree City
    Posts
    822
    Member #
    30921
    Liked
    123 times
    Actually, yes, it is Godaddy.

    I already told them to talk with GD support and ask if they can repo the domain (at least), but they said it's a no-go.

    I'll let them know your suggestions though.


Page 1 of 2 1 2 LastLast

Remove Ads

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT -6. The time now is 12:28 PM.
Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved.
vBulletin Skin By: PurevB.com