Yes I know that is a hackneyed phrase. But damn if it didn’t turn out to be true.
What a way to learn the how not to be hacked lesson. But in the end, I learned the lesson of how to protect our websites from being hacked.
My first clue was a friend who told me that his anti-viral software flagged Greetums.com. I thought it might be a false positive, which had happened in the Fall of 2010 with Symantec. It was my birthday weekend and I was time-challenged as it was but it was then I noticed a small dot in the corner of my webpages.
The next day, another friend using the same software warned me that he could no longer access Greetums. His AV software would not allow the access to my site. The following day, the first friend reported back to me the response of ESET about Greetums.com. It was a real infection. I took all my sites offline.
It had been 3 days since I was warned. I successfully cleaned pages of the iframe exploit I had found. Within hours they reappeared. Freaky. I questioned every expert I knew to pick their brains to get a clue for what I was looking for. It was only after this that I asked my first quest of Google : What am I looking for?
Fired up my PC and it was then the Avast! told me that the IP address of my Web Development Mac was infected. First clue.
I use Macs for web development because they are more secure on the Internet. And I gave up after OS X on most anti-virus software. Maintenance is built into the Mac OS now for a decade. What I didn’t realize is that I was faced with multiple vulnerabilities.
The first thing I did was get an industry standard Mac Os 10.7 (Lion) AV software. I chose Sophos for a few important reasons: it was upgraded for Lion and it was available immediately with excellent support.
I took out my checklist and the #1 thing to do when you suspect you are hacked:
It helps when you have a great hosting company, Rackspace. I quickly was armed with some things to do but it took a leap of faith to question the security of Mac Lion. The King had been caught sleeping. Awake I started step one — making sure I had a recent backup of all site files. That’s when I realized I had not backed up critical databases often enough. So that meant I would have to review .sql files line by line of code.
Sophos AntiVirus quarantined every threat. I saw way too much of iframe-v exploit snagged. This was what was being written to my pages. It wracked my brain: what was writing this to my pages? An SQL injection? Oh no, please not that I implored the geeky gods!
If there is a script, but where? On my pages? External to my websites? FTP hacked, getting in externally and having its way with my sites! But as I kept questioning Google search, I found my next clue: the eval(base64_decode. I had found the source of the infection.
It turned out that this script was on no less than 5 pages on 5 websites by the time I tracked the buggers down. My sites were offline so everyone else was safe. I had Sophos. My machine was safe. I backed up everything and started cleaning every file.
But I kept getting warnings; Mal/iframe-V. Again and again. How could I be sure my web development machine was safe. I changed passwords; again. I ran diagnostics; again. It wasn’t until I deleted all suspect files from my web server that I stopped getting regular discovery of this exploit. But now I knew I was safe. All of my sites got uploaded with clean code from backups and triage.
It really was quite a trip to see my sites live again. The value of having them gone for only a week was just long enough to miss them and make a renewed commitment to them. I am still going to do all FTP and email connections via a Mac. I protect all my PCs since I have to do the work I do on a PC too. I knew that. And now my Macs are protected with industrial strength monitoring.
First, Remain Calm.
1. Contact your hosting company, confirm the hack.
2. Take the infected site(s) offline. If you host many domains on a server, take them all offline.
3. Download all site files and databases. Run these through your antiviral software. Identify any malware.
4.Once you are assured you have clean files for all of your sites locally, delete all the files from the server that could be infected.
5. Upload clean files. Reconfigure permissions, test each site on both Mac and PC, Firefox and Chrome, IE and Safari.
The next step to prevent future hacking, or at least slow them down. There is no absolute protection but the sooner you identify a successful exploit, the faster you are able to thwart it.
Practice Safe Webmastery
1. Use antiviral software on all devices that connect to the Internet, update daily.
2. Use SFTP or SSH when transferring files to a web server.
3. Monitor your installs of WordPress for exploits and upgrade whenever there is a new version. They fix vulnerabilities.
4. Backup your webfiles and your databases as often as they change, but at minimum once a week.
5. Mac is still more secure and best to use as your programming, development platform.
6. If you have any questions ask Google.
Still after all, I am shocked that I was so successfully hacked. I am also grateful that my databases were not infected, confirmed code was validated, and that my sites are now fully Google approved.
Have you ever been hacked? What did you do? What do you know to protect your blog?