In February of 2012 my server was hacked by criminals. Their malicious javascript was squirted across the home pages of every website I hosted.
As the virus and malware checking sites clocked on, Google, Yahoo! and Bing all blocked my site, and most modern browsers also warned people not to visit. I was inundated with emails and tweets. You see, I don’t just host my then-modestly successful blogsite (ahem; that you now grace with your presence), I also host and manage a small charitable organisation’s web presence. Tens of thousands of people were at risk from the criminals, tens of thousands were let down when I was forced to abandon established websites.
I changed all my passwords. I spent hours hand editing every home page to remove the encoded javascript. Owing to my love of experimenting with Content Management Systems, wikis and new tech, alongside my hosting of multiple sites, I had scores and scores of pages to edit.
And it did no good.
The malicious script came back throughout all my sites the next day. I had to learn more.
The criminals had cracked a particular module (relating to image / thumbnail editing and publishing I believe) that was used by a third-party plug-in for WordPress. A vulnerability deep within a line of code of a fourth-party module. The criminals had installed a rootkit – they either had backdoor access to my server, or the rootkit itself was autonomous enough to check my home pages and re-spawn the malicious javascript each day.
And I have several different WordPress blogsites installed; each one was a little hellmouth.
My web hosts were reasonably helpful. Yet they were days and weeks behind my own research. As I was FTPing (securely accessing my server) to scan for bad code and to fix things, I was blocked and locked out of my account.
I rang my web hosts and they assured me that I was not blocked and I could not be locked out. My own Trace Route and Ping research told me that only my home network was blocked, so I had to insist that they didn’t know what they were talking about. Eventually they handed my case across to ‘Abuse’ and Jamie reiterated that I was not blocked, but that he was going to walk across the office and physically check with another department.
I am pacing by this time. It’s been a long conversation.
Jamie confirms that I’ve been blocked as their computers noticed my activity and shut me down, assuming I was hacking illegally.
“How can I fix the problem that you have emailed me to tell me to fix if you have blocked me?!” I exclaimed rhetorically.
This auto-blocking happened several times; each time Customer Services would say that I was not blocked, and I had to beg for ‘Abuse’. ‘Please please give me abuse‘. They did their best, but considering I’m no expert, I did a lot of the driving. Thank the gods for Jamie’s continued personal service and understanding.
So I fixed the problem, and shored up the original vulnerability.
Now I had to tell dozens of security organisations that my site was clean of viruses and malware. Then I had to tell Google, Bing and Yahoo! to rescan my site and give me the all clear.
I’ve learnt so much my brain feels like I’m cramming for an exam. I’m not sleeping well; I have well meaning emails of concern from visitors and friends every day to politely respond to. I’m worring about the impact on the chartitable organisation.
This was all going on while several other things were falling apart. This little drama was actually the very least of my concerns, as you may have read.
So while I had cleaned everything, recovered my sites and done my duty, I felt hollowed and exhausted by it all. Considering everything else that was going on, I switched my phone off, gave up on blogging, and neglected Twitter (without so much as a “I’m leaving” tweet).
I was like this for months; that’s how it was. I felt bad for neglecting people, but I was absolutely empty; I had nothing to say.
Now I’m back online and feeling like I have a handle on things.
[ Wedge ]Photo credit: me and iStock, and FutUndBeidl
Ouch. Yes this happened to me too – strangely around the same time last year. It was the timthumb vulnerability also. Now I use Sucuri.net to scan the sites I’m responsible for and perform any cleanups. Have you looked into that?
Thank you Ian, I’ll check out Securi.net now – I used a variety of tools to check my server, it was a steep learning curve. So many good sites fell to that attack, it’s so malicious.