Since I have a moment here while the latest batch of my own scripts is running to just drop the whole home directory backup into each person's /home on deuce, extract it, then delete it, I'll give you some info on how it worked. I decided that doing the dual extraction of the big archive, then the smaller home directory archive, then recreating the public_html archive was just going to take even longer, so you're going see duplicate mail. That's just a result of the way I decided to go to speed things up. What's happening in that everything under /home/username is being restored from whatever backup is older than the defacement day. On the deuce server, which I'm looking at right now, that's the 19th, since the daily and monthly rolled over with the defacements in place. Just an FYI, and duplicate mail is a small price to pay.

 

The defacement scripts: what they do is a recursive loop through a site's directory structure, looking for the usual types of installations that a site might have in place: /forum, /cart, /shop - things of that nature. Since most of those themselves have deeper levels (like /admin for instance) where there would also be an index file, they find those as well. They are much more sophisticated these days than they used to be, because the tools are out there that let anyone pretty much write a script without really knowing how the underlying language works. Elegant, but like a country bumpkin at a debutante's ball, really. It's just clothes they throw on that make them feel like they're part of the in crowd, to get bragging rights.

 

My current round of scripting is done, so I'm on to the next. By and by you'll see sites come back without whatever political statement these freaks think they've made. My next step, after the sites, will be to put clean versions of the control panel, horde, and squirrelmail back in place. For some reason they never bother with roundcube in these things we've seen - probably because they've just picked up the script somewhere and whatever they picked up was written before cpanel rolled out roundcube. That gives you a good indication of how not so bright these people really are.

Thank you again for your patience.