We are noticing that the Zimbo Jam website, which has been offline for close to 2 weeks to recover from the defacement incident, came back online today. The website is Zimbabwe’s most popular entertainment blog (blogazine if you want) and one of high profile local websites to be hit in recent weeks.
Another website, called Her Zimbabwe, which is hosted on the same server hosting Zimbo Jam and which was defaced and also taken down around the same, is however still down.
When we reached out last week to Zimbo Jam founder, Fungai Tichawangana, to determine the reasons for the extended downtime, he told us they were in the process of making sure they closed all security loopholes before bringing the website back online.
Hacking and defacement of local websites has seemingly been on the rise recently. We posted our opinion on the matter earlier today, which is basically: seems but not so.
Interestingly, both Zimbo Jam and Her Zimbabwe have been using social media platforms, especially Facebook, to post content online and engage their readers during the time their main sites have been offline. Could the extended downtime mean they are finding Facebook is really where it’s at? Local “web properties” that live entirely on Facebook, for example DeMbare DotComs, are not uncommon these days.
Update (08 January 2013): Her Zimbabwe now restored as well.
10 comments
I still think that the site has a major loophole…I can access their admin login form at zimbojam.com/administrator . This means that they have no folder encryption using .htaccess or some other methods such as RSFirewall. They should get something basic like AdminTools to fix that and I can only hope they changed thier database prefix from the joomla default.
Come on people, lets not make ourselfves easy targerts.
Can you actually login or you can just “view” the login form? If its the latter, whilst its best practice to change the admin area from default, seeing the form cant be considered a loophole.
.htaccess is not for folder encryption.
Are you not just throwing words?
Not going to argue semantics – ‘loophole’ or not, that’s poor security thinking. Security is the very reason why not to having your admin interface accessible to the world is a best-practise. A lot of information can be gleaned off a login page(including management software name & version and CGI parameters), and we can agree that giving an adversary hints is not a good idea.
Not contesting your point about .htaccess
It is not best practice but it is not a loophole
troll
mmm strange..maybe your google doesnt do search?..Yes you can use .htaccess for folder encryption.
And simpley being able to view the login form to the Admin part of the site means that a brute force attack will be easier to initiate.
No Im not throwing around words, but maybe you’re just throwing around ignorance?
htaccess is not for folder encryption
Ok seeing as your google still cant search:
http://www.freebsdmadeeasy.com/tutorials/web-server/password-protect-directories-with-htaccess.php
http://tools.dynamicdrive.com/password/
Happy now?
Password protection and Encryption are two totally different things
tinm@n this is just trolling