| 5:30 am on Dec 8, 2008 (gmt 0)|
As a side note, I wrote this post in response to a recent group of communications I receved where site owners were wailing about how unfairly Google was treating their site - and I found in several cases that they had been hacked. When you let your door stand open, all kinds of things can happen to your valuables.
I'm hoping I've been clear enough about the hacks I learned about over the past couple years. Has anyone got any details to add or clarify, or maybe a type of hack problem that I missed?
| 6:13 am on Dec 8, 2008 (gmt 0)|
Back in May I had one of my sites defaced. From everything I was able to find out, they were defacing sites that ran a certain gallery add-on to Joomla. I found a lot of sites that had also been defaced by the same group when I searched for the "name" they left behind.
Fortunately I have a reseller account so I was able to totally remove the entire site, the site's hosting and recreate the hosting for the site and rebuild the entire site over a weekend. Luckily the site was small. After the new version was up, written only in HTML & CSS, I kept constant watch as these guys and/or their friends were still trying to view their work or perhaps even try to do more. They eventually gave up.
I'm no longer using any CMS package for my sites other than WordPress which I keep updated.
| 7:46 am on Dec 8, 2008 (gmt 0)|
Theres a particularly nasty virus making the rounds as I write this that doesn't do anything to your computer or websites but it swaps out the ads on sites you visit. You "think" you're seeing the site as intended but the advertising doesn't belong to that site.
How are you supposed to know? The code is well hidden and launches in the background with IE. It does NOT launch with firefox but if it has been launched already it will replace ads on firefox too.
The best way to test for this, because there really is no other trace of it (yes, it's that fast and smooth and kills cookies etc) is to visit your yahoo email and hover over an ad momentarily. If your computer is infected the ad will show in the nav bar as being served by a third party server, not by yahoo. The ads are high quality from various sources (except for the "get free icons" ad that Yahoo would never show).
This type of infection steals website owners money without touching their sites and without doing anything nasty to your computer.
| 8:23 am on Dec 8, 2008 (gmt 0)|
Excellent post Tedster. I need to establish a few procedures.
| 3:51 pm on Dec 8, 2008 (gmt 0)|
great set of guidelines when performing site audits
| 6:14 pm on Dec 8, 2008 (gmt 0)|
Great post! Our server was hacked recently. They brute-forced us for over a year until they finally got in. We had our firewall block them after x number of failed logins by IP. But they were simply coming in with random IPs that didn't always exist anyway.
Long story short, I LUCKILY was reviewing my command history file one morning and happened to see some strange commands in there from JUST THE NIGHT BEFORE!
After reviewing some log files, I found they had obtained root access a few hours before... They were logged in for a total of 10 minutes. During that time they installed a script on my website that gave them file browsing capability via the browser (and edit), along with some other tools for accessing my database, etc. They then poked around my website scripts, viewing various files that seemed interesting (like login scripts, etc).
Then they attempted to clean up behind themselves and logoff. It was all a bit terrifying! I immediately changed every password on the server, and went into full lockdown mode on my SSH access. Previously I had not locked it down to be accessible via only my IP since I am on the move so much. Well this convinced me that I had to lock it down. So now I use a dynamic IP service (dyndns.org) to help me still SSH to my site when I'm moving IP addresses.
I spent weeks combing my site, logs, scripts, files, cron jobs, htaccess, config files, startup scripts, etc looking for something they may have left behind. So far I have not found anything. I'm hoping they were just being curious and planning to come back another day to do damage... since they didn't seem to do any visible damage this time.
BUT YOU NEVER KNOW FOR SURE since they did obtain ROOT access, they could have done anything and simply lead me to believe they were just browsing around. I still don't know for sure to this day. My ISP said I should buy a new server and migrate over and have the existing one wiped clean. I am not in a position to do that since I have years invested in setting this one up just the way I need it...
Unfortunately that may be a decision that comes back to haunt me... let's hope not.
But the moral of this story... getting your server hacked is a very real issue. Do not laugh at hackers that are trying to brute force their way in... they can (and will) eventually get in. Take steps to block them as soon as you see it happening... which was my biggest mistake. I figured my random password was unbreakable. Well they broke it.
| 12:37 am on Dec 9, 2008 (gmt 0)|
You skipped some obvious things hackers have done which don't exactly effect your traffic but effect your income such as replacing your AdSense or affiliate IDs.
| 1:48 am on Dec 9, 2008 (gmt 0)|
Max, if they have compromised your server, you're really, really should backup, wipe, and reinstall.
It seems you're aware already that once they've got root they can modify logs to look like whatever they want, change what commands do (ssh may not ssh anymore. It may send your password to them, then ssh). And a host of other nasty things.
I wouldn't be able to sleep knowing someone had root at one time - it's just unknowable what they've left behind. And as your ISP noted, the only real fix is backup, wipe, and reinstall.
| 11:33 am on Dec 11, 2008 (gmt 0)|
|Defacement Hacks: These are really "old school" - they're more like online graffiti than anything else. The hacker usually just wants to brag that they got you, and they put up a message on your pages for all to see. Well, that's easily detected because you just go to your pages and there it is! |
Not always easy to detect: We recently took over management of an existing site for a client, and found it had 'Defacement Hacks'. Interestingly the owner had no idea and was familiar with her site (from the front end). The defacements were all in image folders that usually don't have html pages in them. The hacker had probably used XSS (Cross site scripting) via a low quality enquiry form on the site, to create pages in the image folders, the pages were all variations of the index page e.g. index.htm / index.php / index.asp... etc They were all harmless and graffiti-like e.g. 'Fred the Hacker was here'.
I am currently trying to compile a list of hacker access methods, to understand better what to avoid/check/secure. i.e. how the hacker manages to gain access in the first place, to do the stuff in Tedster's list. Here is my list so far (any aditions, amendments welcome)
- XSS - 'Cross site scripting'
Solution: Escaping and filtering in the form script.
- 3rd party Aps not updateded / patched e.g. WordPress, AWStats
Solution: don't use 3rd party Aps if you can avoid it. Keep them updated.
- Can you view a password folder or private content in the browser?
Solution: protect with htaccess
- Hosts using 3rd party aps with vulnerabilities: (e.g. CPanel, VDeck)
Solution: don't use such hosts.
- FTP with default passwords
Solution: Strong password + Change it every few months.
| 2:03 pm on Dec 11, 2008 (gmt 0)|
Perhaps one of the most efficient attacks is to hijack the browser of the site owner either via some clickjacking or active control/plugin.
Many site owners completely forget about that. For an attacker this approach is superior because:
1. Site owner trusts his site or his accounts. Active content filtering can be completely off.
2. With his hijacked browser now accesses his admin, cpanel, database, external accounts, mail, you name it.
Ex: when you login into your google accounts, don't you have these active content/scripts running? Otherwise how you gonna see all these nice calendars, maps and analytics results.
And you may see a month later a warning from your anti-virus program about it. But by then its too late.
So in essence the site owner may give full control to the attacker. It's ironic but common.
| 4:39 pm on Dec 11, 2008 (gmt 0)|
Yep had a site hacked once didnt have a backup copy doh !
| 7:12 pm on Dec 14, 2008 (gmt 0)|
A server that one of my sites was on got hacked back in May, and was used for Warez as well as #*$!ography. The same month, massive site penalties, loss of traffic, and my Adsense revenues dropped 70%.
Sent three reinclusion requests to G through Webmaster Tools since this summer, no response and still virtually nonexistent in Google. Years of hard work flushed down the drain.
| 4:07 am on Dec 16, 2008 (gmt 0)|
I'm happy to see this thread. Good stuff, tedster. People should really learn to look in their own back yard sometimes.
I've gotten a lot of stickies and mails throughout the past few years claiming this or that "incident" with some "offending site" or with Google; and a very large percentage of the observed ranking problems could be traced back to bad configuration of the site in question.
I'm not using the word "hacking" as my first choice though, as a lot of these symptoms can be caused by ignorant or clumsy webmasters without any interference from third parties at all. Or, even webmasters trying to "cheat a little" and blame somebody else. No names, no examples.
| 6:46 am on Dec 16, 2008 (gmt 0)|
Not only an excellent post - an excellent resource tool / checklist for those that frequently are placed in situations of diagnosing new clients with inherent problems in ranking.
| 3:53 pm on Dec 22, 2008 (gmt 0)|
Wasn't there a sweet script that Brett posted a while back on if someone was trying to get to a robots.txt blocked directory or file, then to just auto block them from your servers? Am trying to find that in the forums and am coming up empty.
| 8:04 pm on Jan 9, 2009 (gmt 0)|
A new thread at [webmasterworld.com...] mentions that the server hack they suffered did not change the time/date stamp for the altered files. So keep that in mind when searching for possible trouble, too.
| 10:35 am on Jan 17, 2009 (gmt 0)|
Is there any alternative to Xenu Link Sleuth that implements the following features
1. Ability to crawl with any user-agent (googlebot is of a special interest, of course)
2. Respects robots.txt (otherwise it crawls too many pages that I absolutely do not care about)
3. Respects the "nofollow" tag, and reports the "nofollow" tag when found
Xenu lacks these features and does not allow to discover many potential security problems that you mentioned above. e.g. cloaking.
| 9:15 am on Feb 5, 2009 (gmt 0)|
Post is excellent but this is more on the on page hacking. what to do when you dont see any changes like hacking for placing links in your content, allowing all indexing through robots, no unkown external links placed, content is clear. i have checked the site completely except log, seems there is no issue at alll. but still my 6 yrs old pr 4, site is gone from top to bottom in just 4 days. 60% traffic reduced from 1 feb to 5 feb.
| 10:20 am on Feb 5, 2009 (gmt 0)|
since we have a big but static site and most of the pages are not changed on regular basis. can consider the main index or section index, almost 150 pages regularly changed out of 3500. How do we solve the 304 sc-status issue in the log. I just check the log for my site and i found that when bot visit my site, it is 304 most of the pages.
i read somewhere that says 304 is our friend.. but i am not sure about this.. seeking help
| 2:13 pm on Feb 5, 2009 (gmt 0)|
You can give Xenu limitations on where and what it crawls you just need to be specific.
Xenu isnt really a security tool - its a link tool.
| 2:50 pm on Feb 6, 2009 (gmt 0)|
Good stuff! thanks Ted.
| 6:28 pm on Feb 21, 2009 (gmt 0)|
Here's a solid analysis of a particularly devious hack - offered by Google's John Mueller (JohnMu):
Let's discuss the specifics of that hack in the linked thread, rather than here - thanks.
| 10:34 am on Feb 22, 2009 (gmt 0)|
This is a great post, thanks for bringing this to our attention. As if it was not enough having to worry about maintaining rankings and all the other things that go along with running a busy site or sites we also have to watch out for this stuff. I've had sites hacked more than once in the last year or so. The problem always seems to be the same host and it's always our VPS that seems to get hit. There is a lot to be said for having a good server admin person handy, to be honest I don't know much about keeping this stuff in order and I probably should but who has the time?
| 10:17 pm on Mar 27, 2009 (gmt 0)|
Kapow, I've never heard that CPanel has vulnerabilities. Why would large hosting companies use something that was at risk? What platforms do other hosts use?
| 11:08 am on May 3, 2009 (gmt 0)|
Hello, I don't know if this thing happening to my wordpress blog had already happened to other bloggers but for me it looks like a new kind of hacking. I still don't know what caused this or how to solve it so if anyone knows the solution, please share.
I found out one of my blog post that was indexed by Google have many pages with the same url but with query strings. All my blog post have an extension of .htm but the rest have this .htm?reyf=140 and a series like .htm?reyf=150, .htm?reyf=152 and .htm?reyf=67 and all the urls are identical. What is troubling to know is those pages have different titles with most of the words like c-a-s-i-n-o and l-o-t-t-e-r-y and when I click the link from the Google search, it redirected to another URL.
I think this caused a keyword ranking dropped and sudden dive of my traffic. Have anyone experienced this?
[edited by: tedster at 2:41 pm (utc) on May 3, 2009]
[edit reason] moved from another location [/edit]
| 2:47 pm on May 3, 2009 (gmt 0)|
Once someone has hacked into a server - and wordpress makes a common target if the software isn't patched as soon as new patches are released - the sky's the limit on what they might do. Earlier in this thread we discuss the basic steps: delete the hacked files and restore the clean ones, upgrade the wordpress platform, and then submit a reconsideration request explaining what happened and what you did.
| 6:05 am on May 4, 2009 (gmt 0)|
Thanks Tedster for this informative post. I don't miss upgrading my wordpress blog and plugins. As soon as the new version was released I immediately upgrade them. I also don't have an idea which files are hacked.
I made some experiment. I tried to remove the wp-config.php to test if the url with .htm?reyf=140 will show an error because every URL on my blog should not work. My whole blog isn't working but the URL is still working and redirecting to an anti-virus site.
| 7:43 am on May 4, 2009 (gmt 0)|
I also used the Google webmaster's tools to delete the URL but it was denied because it was considered as a third party website but actually it is my URL.
I'm in the process of reinstalling my Wordpress and I discovered something. It was actually hacked because of a Wordpress vulnerability (It was the new feature of wordpress I'm talking about). I'll go back to post the details after I fixed it.
| 10:23 am on May 6, 2009 (gmt 0)|
SERP is back and I think there is no need for request reconsideration since my blog reacts fast enough after removing those bogus URL in the Google index. Speaking of the Wordpress vulnerability, I think it is not actually vulnerability since I'm not sure how the upgrading of Wordpress via admin panel really works. I was thinking that upon automatic upgrading via admin panel, the new version will just overwrite the old files without deleting the wp-admin and wp-includes. If that is the case, then the manual upgrading is better.
So to cut the story short, the hacker uploaded files on my wp-include>js>tinymce>plugins>inlinepopups>skins>clearlooks2>img folder, about 3,900+ files with strange filenames. So deleting those two directories, wp-admin and wp-includes and uploading them again from a fresh copy solved the problem.
| This 34 message thread spans 2 pages: 34 (  2 ) > > |