The Evil Within (My Website)

I have been complaining for a few weeks now about the disappearance of my website from Google. It was a problem that only appeared when a page was clicked directly from a search engine, not entered by hand. Instead of my blog, spammy pages of links appeared, looking like they were coming from geofffox.com.

I looked and looked and couldn’t find the content ascribed to me. Nothing.

A few times, I asked for assistance from the Google Groups Webmaster Help Forum. They didn’t solve my problem, but they did help me figure out where to look.

Tonight, I think the mystery is solved.

On November 23 at 9:04 PM and again on Dec 10 at 10:54 AM someone gained access to my server.

Whether it was a hack or exploit doesn’t matter. My host would like me to think it was an exploit – meaning it was through my doing. Whatever.

New .htaccess files were inserted in every directory on my web site. These files, which begin with a dot to make them normally invisible, control how certain web requests are handled.

These .htaccess files looked for 404 errors. That’s what you get when a page is missing.

This explains why I couldn’t find the spammy files on my website. This exploit only worked if a file name that DOESN’T exist was entered. Only then were they composed on-the-fly.

On top of that, a second file specified the trick should only worked if the request was coming from a search engine. No wonder I couldn’t make these spammy pages appear.

As awful as it is, I have respect for the programmer who accomplished this. It’s a very sneaky trick, and it sat on my site for a few months before I discovered it.

The .htaccess file called a php file, which is similar to the one this web page is served to your browser on. One set of these php files had an all numeric filename (002314.php, etc) and was 617 bytes long. The other used simple computer-ish names (server.php, command.php, etc.) and was 1260 bytes.

Every web attack has a weak spot and I had found it. Having the files all be the same length, and placed on my machine on specific days, made it easier to scout them out.

To make matters worse, permissions were changed all over the place. These are the rules that decide who can or cannot read, write or execute files. Lots of stuff was turned 777, meaning anyone could do anything!

The person who attacked my machine had opened all the doors. Now anyone could gain access and do anything.

Good grief!

I called on my friend Bob Hart to help.

Bob claims not be be a computer expert. Right.

His logical, organized, well exercised mind knew all the commands and tricks to remove thousands of files and reset an equal number of pointers without hurting anything. He dictated long strings of characters for me to type in… and they worked!

Is there an Emmy for computer assistance? I nominate Bob.

So, now you know the good news. The bad news is, it can happen again because I don’t know how the miscreants got in. I’m working on that next.

Hopefully, in deleting files, rewriting permissions and changing passwords, I will slow them down until a solution is found.

Once again, I’m begging Google to let me back into their good graces. Traffic on the blog is down about 75%. Geofffox.com has slid off the face of the Earth!

6 thoughts on “The Evil Within (My Website)”

  1. Make sure, too, that you’ve applied any security updates to MT.

    @Gary: I agree, but then again, we don’t know where he’s hosting things. It could be on a private server.

    -A

  2. My problem is, I am on MT 2.64, and the current version is 4.1. I am petrified to upgrade, though I move software in and out constantly on any number of computers.

    The reason is, it’s on an older version of MySQL, the path from this version to 4.1 includes a mandatory stop at version 3.5, and I’ve made undocumented customizations to my templates.

    This site is currently on Host4Web. I also have space at 1and1, which is where this might go.

    But, again, I’m petrified to update.

  3. you can do a backup of your database, install the newest MT in a different directory on your server, then import the database into SQL. if it goes right, and everything seems to work as you’d like it, then back it up and pack it up to a new host.

  4. I had no clue you were on that old of a version of MT!

    Have you considered moving from MT to WordPress? I’ve had a fairly good experience with it.

    Of course, I’ve not used MT at all.

Leave a Reply to Adam Cancel reply

Your email address will not be published. Required fields are marked *