Dealing With Our Hacked Site


David BesnetteIt’s been a tough week here for Assisted Living Directory.  In the 8 years we’ve been online, our site finally got hacked into, and it wasn’t pretty.   I’d like use this post to describe what happened, how I think they got in, and what I’ve done to untangle the mess, which, I am still doing.

 

How I Noticed Something Was Off

So, last Sunday afternoon, I decided, as I do periodically, to type in my site: command in google.  For those of you who don’t know what this is, it’s a pretty important thing do to, and after my experience, I’ll be doing it every day from now on.  Basically, if you go into google, and just time site:yoursite.com, this will show you how many pages that google sees, or recognizes on your site.  This is a great way to see if there are any duplicate content issues, and to get an idea of how google is indexing your site.

Website Issues

My site, generally has around 1500 pages, and that, plus or minus a few, is usually what I get from google.  We’ll this past Sunday, I noticed it was well over 4000.

Immediately, I knew something was wrong. 

I started looking through the pages to see what was bloating my site, and soon enough, I started seeing hacked pages for, well – I don’t want to say it by name, but for things that men take to make their personal ‘business’ grow.   When I mean business, I mean the business where the sun doesn’t shine…if you know what I mean.   Thousands of pages like this.  It was really bad.

One of the most insidious things about it was that it assigned authorship to these pages, so in the search results, my photo appeared next to most of them.

My heart sank, and I wasn’t sure what to do.

After collecting myself, and taking a few deep breaths, I first called my web host.  They were awesome, and understanding.  They said they would look through my site, the server, and files to see if they can find the malicious code or pages.   Within about 2 hours, they did.

They said they had found a single file that was dropped into one of the folders on my site, which created all of the bad pages.  The good news was that they were able to quickly delete the file, so those pages wouldn’t load should someone click on them.  The bad news was, all of the search engines had indexed these pages, and still recognize them as being a part of my site.   I wanted to see all of those pages go away in a hurry.

Using Google and Bing’s removal tools

Thankfully, both Google and Bing have removal tools that allow you to remove URL’s from the search.   However, there were a couple of major hurdles to this.  Firstly, although the search engines recognized thousands of pages, the site-colon command described above only shows you a fraction of the actual pages.  The rest are hidden.  Why they do this, I’m not sure, but it may be that they are signaling that there was something unusual that happened, so they basically, in effect, quarantined those pages.

I still wanted them gone – immediately, so I had to figure out a way to find those URL’s.   What I did was started typing some of the awful keywords associated with the hack in front of the site-colon command, which would then display the urls that had those words.   I ended up finding about 90% of the URL’s this way.

Bing’s webmaster tools allows you to actually see the folder structure of your site, and the file/folder that was dropped into mine was readily visible when I went into ‘index explorer.’  The helpful thing here is that it told me exactly how many pages were associated with the hack, which, in my case was 3,133.  So, I now have a goal of how many I need to remove.

The next challenge was that there is no ‘batch’ way to remove all of these pages.  Unfortunately, I couldn’t remove the entire directory, since most of my ‘good’ pages are located in the same place the bad pages were located.   So, with both tools, I’ve had to one-by-one go in and enter each URL to remove them.

That’s been over 6,000 cut-and-pastes this week to remove the pages, and I’m still going.   Needless to say, my wrists feel pretty sore right now.

I am thankful that I am seeing most of the pages disappear from the search results.   I am still finding stragglers, and I hope to have them all gone this week.

How did this happen?

I asked our web host exactly what time and date the file was dropped into my site, and they said specifically that it happened Sunday, February 10 at 2:01 pm.

That happened to be the exact same time that our Internet Service Provider was here replacing our modem.   A day later, my wife was trying to log into her work laptop from our home, and she noticed that our router was left unsecured.   Really bad.

I think the timing of this points to the fact that our router was somehow compromised, and the bad stuff, whether human or automated, found a way in.    Our router was about 3 years old at the time, so I immediately went and bought a brand-new, highly rated one to replace it with, and locked everything down.  I was pretty furious with the fellow who was working on our stuff.  To leave a router compromised like that is inexcusable.

How to prevent this from happening again

Of course, after a long exercise of changing all of my passwords for everything I could think of, as well as multiple scans of my computer to find anything bad (my scans found nothing, by the way), and after making sure my router was secure again, I’ve learned a few things.

One, if you use an FTP client, like dreamweaver or filezilla, don’t ever store your passwords within these programs.  They are more vulnerable if you do.  Instead, you’ll have to enter them in each time you do a file transfer or upload.

Also, don’t leave the FTP connection open.   A lot of us like to do this if we’re doing high-volume work on our sites.  I have to learn not to do this.  Instead, I do work on all of the pages I need to, and then do one single upload that takes about 10-15 seconds, and then I close it down.

Another hugely imperative thing to do is to check the remote side of your site, and server logs daily if possible.  You should see if any new files have been added, and the dates and times most other files have been altered.  If you haven’t worked on your site, and you see a new file, or one that was altered, you should investigate further.

As I’ve mentioned, do the site-colon thing daily as well for both Google and Bing.

Another tip that I have learned is to do a Google Alert for the ‘bad’ keywords, specifically for your site – especially the one that starts with ‘V’ – if you know what I mean.  There’s a quick ‘how to’ here

http://support.google.com/alerts/answer/175927?hl=en

That way, you’ll be alerted via email if something bad appears on your site.

It’s been a bad week nonetheless. I still don’t know if there are long-lasting impacts from this, or if there is, or will be any lessened trust for my site going forward.  I guess only time will tell.   I hope that I caught it quickly enough, and that the search engines will all noticed that I aggressively cleaned up the mess as quickly as possible.

If I do notice anything in that regard, I will post it here in the coming weeks and months.   I am looking forward to getting back to ‘business as usual’ – creating content, videos and interviews – things that really matter.   I’ll be much more diligent in the future in keeping an eye on my site.

I hope that my experience may somehow help others.

2 thoughts on “Dealing With Our Hacked Site

Leave a Reply

Your email address will not be published. Required fields are marked *

18 − 8 =