I have been complaining for a few weeks now about the disappearance of my website from Google. It was a problem that only appeared when a page was clicked directly from a search engine, not entered by hand. Instead of my blog, spammy pages of links appeared, looking like they were coming from geofffox.com.
I looked and looked and couldn’t find the content ascribed to me. Nothing.
A few times, I asked for assistance from the Google Groups Webmaster Help Forum. They didn’t solve my problem, but they did help me figure out where to look.
Tonight, I think the mystery is solved.
On November 23 at 9:04 PM and again on Dec 10 at 10:54 AM someone gained access to my server.
Whether it was a hack or exploit doesn’t matter. My host would like me to think it was an exploit – meaning it was through my doing. Whatever.
New .htaccess files were inserted in every directory on my web site. These files, which begin with a dot to make them normally invisible, control how certain web requests are handled.
These .htaccess files looked for 404 errors. That’s what you get when a page is missing.
This explains why I couldn’t find the spammy files on my website. This exploit only worked if a file name that DOESN’T exist was entered. Only then were they composed on-the-fly.
On top of that, a second file specified the trick should only worked if the request was coming from a search engine. No wonder I couldn’t make these spammy pages appear.
As awful as it is, I have respect for the programmer who accomplished this. It’s a very sneaky trick, and it sat on my site for a few months before I discovered it.
The .htaccess file called a php file, which is similar to the one this web page is served to your browser on. One set of these php files had an all numeric filename (002314.php, etc) and was 617 bytes long. The other used simple computer-ish names (server.php, command.php, etc.) and was 1260 bytes.
Every web attack has a weak spot and I had found it. Having the files all be the same length, and placed on my machine on specific days, made it easier to scout them out.
To make matters worse, permissions were changed all over the place. These are the rules that decide who can or cannot read, write or execute files. Lots of stuff was turned 777, meaning anyone could do anything!
The person who attacked my machine had opened all the doors. Now anyone could gain access and do anything.
I called on my friend Bob Hart to help.
Bob claims not be be a computer expert. Right.
His logical, organized, well exercised mind knew all the commands and tricks to remove thousands of files and reset an equal number of pointers without hurting anything. He dictated long strings of characters for me to type in… and they worked!
Is there an Emmy for computer assistance? I nominate Bob.
So, now you know the good news. The bad news is, it can happen again because I don’t know how the miscreants got in. I’m working on that next.
Hopefully, in deleting files, rewriting permissions and changing passwords, I will slow them down until a solution is found.
Once again, I’m begging Google to let me back into their good graces. Traffic on the blog is down about 75%. Geofffox.com has slid off the face of the Earth!