homepage Welcome to WebmasterWorld Guest from 54.204.58.87
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
Crazy stuff: Site stolen, AdSense up big, etc.
beavis




msg:4418548
 12:07 am on Feb 17, 2012 (gmt 0)

This situation is definitely the weirdest and most worrisome event of my 13 year history as a webmaster. Consequently, I need a lot of help from you guys! Here's what has happened:

Over the last few days, I have seen an enormous increase in traffic to mywebsite.com, as per Google Analytics: normally 1-2k/day for years - now 20k/day. The source of the traffic is “adf.ly” and other sites (q.gs and j.gs) that redirect to adf.ly. A brief investigation shows that adf.ly offers a “free URL shortener” and pays publishers who use it. Adf.ly has an Alexa ranking of 127, so it must be fairly legit. I have not interacted with adf.ly in any way.

At first glance, I concluded that some site with lots of traffic was shortening a link to my site in order to make a few bucks, and I was getting some free traffic. All seemed well, and my AdSense earnings were up nicely. However, today the traffic grew to the point that I became more suspicious that something strange was going on, so I looked through GA and found that in addition to adf.ly, some new referrals were coming from www.othersite.com. Looking back, both the adf.ly traffic and the www.othersite.com traffic first appeared right around Christmas.

When I opened othersite.com, I was astonished to see my website! Everything was the same, except the thief replaced all in-page references to my domain name with his domain name. Even more shocking, it is not just my .htm or .php pages that are reproduced under his domain. My Vbulletin forum is up and running on his domain, my form processing script is functional, and even a small section of my site that is ran by a database driven CMS is up and running under his domain! Even more astonishing, I made a small change in one article on my CMS and the change instantly appeared on his site!

1.Please help me understand how the heck this guy has hacked me. I understand how he could download my static pages, edit them and put them on his site, but how is it that he can run my database driven forum, CMS and form processor under his domain? I'm hosted at a very well known USA shared host. Did they hack the host? Did they hack my FTP account? How do I protect myself going forward?

2.What steps should I take to try to get this copy of my site taken down? The registrant of othersite.com is Russian. The IP address of othersite.com is in Germany, but the hosting company is based in Russia. The hosting companies home page says, “We rent dedicated servers in Germany.”

3.I've already discovered that much of my additional Adsense earnings came from the fact that the hacker kept my Adsense code on othersite.com, so I unfortunately will have to tell G that all the extra earnings I've been celebrating are not legit.

4.I'm still puzzled by how adf.ly traffic fits in this puzzle. My best guess is that the hacker actually used adf.ly to purchase high volumes of traffic to othersite.com and it is showing under my Google Analytics account because he kept my GA code on othersite.com. I'm going to report this whole situation to adf.ly, but if there is something I am missing about the role of adf.ly, please let me know.

Any comments or suggestions would be greatly appreciated!

 

DeeCee




msg:4418577
 1:15 am on Feb 17, 2012 (gmt 0)

Sounds like a pretty worm/proxy implementation, rather than mere content scraping.

Could be simply software installed on the other server that feed itself through redirected requests through your server. Kind of like a proxy, but with code-changing capabilities that munges the code from your site on the way to make it look "local" to the other site. Pretty easy to code. I use the same principle as a connection on one of my sites to allow a few pages to be indexed that otherwise would not indexed and to get some of the content from a redirected domain to show up in the right place between servers. Unique implementation, but not hard. I also in an earlier life kept source repositories on development sites in the US and India in sync the same way by building software to replicate and filter commands across the net so they looked "local" to our US based repository. Back when we had "slow" private lines between continents. :)

Can you track your server logs? Check if requests land on your site in sync when you click around the other site, and where they originate from. Then block that server/IP if you find it. If it is merely a remote proxy, that IP should show up very frequently in your logs, and should show when you click the remote site. Block in httpd or better in your firewall. But watch, as they might just switch IP and continue running.

Also, in your browser, check the source code of the other site's html pages and check their references to see where they come from. Maybe they are not replicating/filtering everything, but is actually using your server to serve up things like CSS, JS, images, ... Making their server in Germany look much faster. :)

That kind of replication is pretty easy to do.. It is easy for anyone to replicate any web-site anywhere else that way, if the owner is not actively watching logs and requests, and watching who/what is loading from where. But obviously, it would make a LOT of requests seem to come from the same "person" over there in Germany. :)

What you also have to be extra careful about is that if their site is getting indexed into Google (you should check), you will suddenly end up having your own site at risk for being deemed "duplicate" content by the Big-G algorithms, unless Google already know about this scammer and are discounting them. Pick some unique sentences from your site and search for them on Google. See if both you and the other site show up.


Hard to know anything more without knowing what the actual sites are. Especially the offending one.

This is one of the problems of hosting a site with a

thirteen




msg:4418586
 1:34 am on Feb 17, 2012 (gmt 0)

1) View the source page to check for <iframe></iframe> tags. If it is there, that's how they pull your website content.
2) Login to your Adsense Account, Account Settings and enable Access and Authorization. Define which sites are authorized to show ads. Your Adsense Account is vulnerable to be canceled through no fault of yours if you don't protect it with this setting.

lucy24




msg:4418588
 1:35 am on Feb 17, 2012 (gmt 0)

I was going to say something even shorter.

Is it your own server? Unplug it. Do not start up again until you are absolutely positive it's clean.

DeeCee




msg:4418592
 1:43 am on Feb 17, 2012 (gmt 0)

I agree with thirteen, that showing a site in an iframe is the sure easiest way to replicate any web-site.
But since Google does not look inside iframes (nothing will be indexed), there is little reason for anyone to replicate a full web-site that way, if they do not at the same time show any other content around it that might make them money.

Still. It is as easy as checking the logs. if all requests seem normal, and all access stem from normal users, then it is not a proxy like situation, and an iframe is likely. Although you would then have to figure out why anyone would want to spend money iframing content that will not gain them any content credit with Google or anyone else.

beavis




msg:4418618
 3:06 am on Feb 17, 2012 (gmt 0)

OK, this is getting even crazier. Here is an update:

1. There are no iframes on www.othersite.com. I checked the page source code, but also, the actual site content displayed in my browser is very subtly different between the malicious site and my site --- At the top of every page on my site is the text "My Domain", while at the top of every page on the malicious site is the text "His Domain".

2. All of the internal links on the malicious site are to pages on www.othersite.com. They are not pulling graphics, etc. from my server.

3. Here is where it gets crazier... When looking at the source code for the home page on the malicious site, I found some additional code in the footer area:

<img src="http://www.secondmaliciousdomain.com/images/1.gif" style="border-style:none; width:1px; height:1px;" /><img src="http://www.secondmaliciousdomain.com/images/2.gif" style="border-style:none; width:1px; height:1px;" /></div>

Then, I went back to the home page on my server AND THE SAME MALICIOUS CODE IS ON MY HOME PAGE!

Can anyone now tell me more on how this whole set up is working? Obviously, the first order of business is to very shortly replace my home page with a backup that doesn't have the above code!

lucy24




msg:4418639
 4:32 am on Feb 17, 2012 (gmt 0)

#3 is easy. The person who owns domain #2 is tracking the two sites-- yours and the ::cough-cough:: unathorized mirror-- via his own logs. There is a technical term which I have only just learned-- and just as quickly forgot. I call them administrative gifs. In effect, they're intentional hotlinks.

DeeCee




msg:4418645
 5:27 am on Feb 17, 2012 (gmt 0)

beavis,

Sent you a reply directly with some of the stuff found on across the three domains, including the secondary infected HostNOC site.

Your content is definitely getting duplicated, and the duplicate site is fully indexed in Google results, causing lots and lots of duplicate content (with likely penalty for someone). (Although all the content/domain/link filtering they did still left all the original copyrights behind, both directly and in page-code commentary. So both sites are now "copyrighted" to the same company. :-)

Should make it easy to convince Google to kill the duplicate site's search results, providing you control that company.

According to domain statistics the traffic on the duplicate site is trending up, so you want to block them off before they steal your Google thunder. :)

Sgt_Kickaxe




msg:4418656
 6:00 am on Feb 17, 2012 (gmt 0)

You're infected, it doesn't matter how or why - shut it down, now.

When that's done secure everything at the same time including all passwords for your host, ftp, server, email, bank website, utility company website etc. Then secure your personal computer too, your server passwords are likely in the config files of your backups - change those too.

There are great guides on Google and on this forum on how to clean up this type of thing but you need to shut everything down and take your site offline right now, before they decide to burn your sites rep to the ground with Google, or worse.

phranque




msg:4418690
 9:17 am on Feb 17, 2012 (gmt 0)

you should read this thread...

How Hacked Servers Can Hurt Your Traffic:
http://www.webmasterworld.com/google/3802274.htm [webmasterworld.com]

phranque




msg:4418691
 9:32 am on Feb 17, 2012 (gmt 0)

you should also consider the possibility that the injection of web beacons on your site is a separate attack from the content scraping.

DeeCee




msg:4418694
 9:50 am on Feb 17, 2012 (gmt 0)

Phranque,
The web-beacons they hooked into his site actually load (the same) 1 pixel empty space from a likely infected site in Scranton, PA. Where many infected hosts come from. Likely to be really a call to code on the infected host that runs, and then simply pushes a redirect to an empty pixel. Both of the gif files (despite being named 1.gif and 2.gif) browser wise redirect to the same real gif file named dot.gif. (A small empty 78 byte file).

But by that time the original calls from the users browser would have run the code on the bad Scranton site.

Worse than the original web-site duplication is that those browser calls obviously are looking for something from the human users PCs. Maybe to infect certain browser configurations when detected. Whatever they are looking for, they do nothing to the original web-site. Rather they are trying to touch the user PCs.

beavis




msg:4418834
 4:01 pm on Feb 17, 2012 (gmt 0)

Thank you to all who have replied. This is certainly a challenging situation. Here is my plan of action so far. Please let me know if I am missing something:

1. Take down site ASAP. Once again, it is on a shared hosting account.

2. Delete all files in my account except actual databases that hold my CMS content, form processor data and forum.

3. Inspect above databases for malicious data.

4. Log in to my account at host and delete all current FTP accounts. Create new account with strong password. Change log in password to my host, too.

5. Re-upload site from original files held on my home computer. Just to be safe, inspect these files for malicious code, which I highly doubt is present.

6. Utilize new user names and passwords to connect to my databases, as hacker likely has my configuration files that hold my old database passwords.

7. Worry that shared server still has some malicious code on it! Most likely, the hacker did not compromise the whole shared server, rather just entered my account via hacked FTP, but there is no way to prove it.

8. Once site is rebuilt, visit malicious mirror site to see if it is still running or if removal of malicious code from my site took it down.

9. Either way, once my site is clean, contact Google to report URL of malicious site and hopefully have it de-indexed.

thirteen




msg:4418886
 5:55 pm on Feb 17, 2012 (gmt 0)

Before Step 1: Login to your Adsense account and enable Access and Authorization settings. If your mirrored site put up Adult Content, Firearms, or Alcohol materials which violated Adsense Guidelines then your Adsense Account will be cancelled. Once cancelled, you are not going get it re-instated. Doesn't matter if it is not your site, your Adsense ID is on it.

beavis




msg:4418897
 6:10 pm on Feb 17, 2012 (gmt 0)

Thanks Thirteen. I forgot to mention that I updated the Adsense settings last night and for better or worse, I self-reported to Google that the offending domain had generated clicks that I should not be paid for.

SteveWh




msg:4419125
 4:26 pm on Feb 18, 2012 (gmt 0)

Also ensure that your vBulletin installation, all its plugins, and any other software you use are fully up to date.

Ensure your custom PHP code, if any, is secure against remote file inclusion.

Ensure there are no viruses on any PCs used by your site admins.

And in case it isn't obvious, the same vulnerability that allowed the clear gif to be inserted into your page also gave the attacker sufficient access to copy all your PHP source files (including your contact form handler script), and your databases -- so that explains how they were able to make a working copy of your entire site.

lucy24




msg:4419228
 1:20 am on Feb 19, 2012 (gmt 0)

the same vulnerability that allowed the clear gif to be inserted into your page also gave the attacker sufficient access to copy all your PHP source files (including your contact form handler script), and your databases

This is probably true in the present case, but isn't automatically true. Trust me on this ;)

phranque




msg:4419237
 1:48 am on Feb 19, 2012 (gmt 0)

the same vulnerability that allowed the clear gif to be inserted into your page also gave the attacker sufficient access to copy all your PHP source files (including your contact form handler script), and your databases

This is probably true in the present case, but isn't automatically true.

almost certainly true, but copying the databases wouldn't explain this statement in beavis' OP:
Even more astonishing, I made a small change in one article on my CMS and the change instantly appeared on his site!

i would guess that the database wasn't locked down or the attacker gave himself permission to make external connections to the database.
then he powered up othersite.com with a script that connects to your database server instead of localhost or 127.0.0.1 and before serving the response it edits a few brand and domain names.

beavis




msg:4419318
 2:49 pm on Feb 19, 2012 (gmt 0)

Thanks for all of the helpful responses. I definitely need to update my VB forum software and CMS.

I had a nice talk with reps from my hosting company. They told me that this type of attack is "more common than you would think." They offered me the services of an affiliated programmer who is an expert at cleaning up and locking down sites after this type of attack and I have accepted, as I don't really have enough expertise in this area to do it myself. I will make sure that the suggestions in this thread are addressed, however, and I will post any useful findings from the expert's investigation and clean up.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved