Hacked

April 10, 2012  |  Articles

It came out of no where of course. Completely unexpected.

I got an email from one of my subscribers at the Voiceover Pavilion telling me that something was terribly wrong with the VOP.

When he searched for his name on google his profile on the VOP is listed… but then when he clicks it, the browser doesn’t go to The Voiceover Pavilion…. it goes to some weird Cialis / Viagra sales portal.

I confirmed this… then sat down infront of my PC in shock. How could this happen? Is it a virus? How do I fix this?

I gave myself 5 minutes to feel sorry for myself … then started the search to figure out what happened?

The Hack

The initial searches didn’t help at all… I went into my website’s back end and nothing seemed amiss. I downloaded a few malicious code scanners… ran the scans and nothing showed up… I even checked if google had black listed my site and ran their malicious code scanner and it didn’t bring up anything.

So I backtracked… what if the hack didn’t do anything bad to the viewers computer… as in all the code does is redirects any link coming from outside the site from my site to the that weird Pharmaceutical portal.

So maybe google didn’t see that as a bad thing… just a redirect.

The search for a solution took longer than anticipated and the Subscriber was getting antsy and upset. So I took his page offline until I could find a solution.

If you typed the link to vopavilion directly into the browser it takes you straight to it. If you typed the link to a specific member’s page then that also takes you straight to that page on my site.

But if you clicked an external link then you got redirected.

I’m no software coder… how am I going to figure this out?

The Culprit

2 days into the search I came across a forum post where someone who also ran the same kind of Content management system on their website got a similar attack. The name of the hack was Base64.

What it does is it gets into your .php files and it adds a string of code that seems illegible to the naked eye. But if you process it through a base64 decrypter you get a redirect.

I went into my website’s directory look at the file he mentioned … and found that code.

Exactly the same one as his. So I removed it…and that was that.

The Mistake

I tell my client that the problem was fixed… I found the hack and it was called base64 and its been removed.

I was wrong. You see that kind of attack is no just placed in one file… its put in almost all your .php files.

My website consists of thousands of small files … how was I going to look through all of them and remove that code?

In one of the files. I found the code had been added more than 30 times.

I looked for a one step solution… an antivirus for websites as opposed to computers.

I just couldn’t find anything that helped. What was I going to do?

The Solution

For a week my poor wife had to deal with her aggravated, irritated and devastated husband. I hate feeling helpless.

To make matters worse I found out that The Voiceover Pavilion was not the only website of mine that was infected. All my websites were infected.

So I gave up and decided to rebuild all my websites… a task that would take me months.

I rebuilt mahmoudtaji.com from scratch… relocated it to a secure directory but what about the others?

The solution was completely unexpected. I went back… tried out different search terms in the plugin search tool and suddenly found a tool called Get Off Malicious Scripts (Anti-Malware).

I had tried at least 10 plugins before it so when I installed it and ran the scan. I figured that at best  all it would do is identify the files that have the code in it.

It asked me to register… hey what the heck … I registsred… it updated itself… ran the scan.. then a magic button appeared that said.

CLICK HERE TO FIX PROBLEMS.

Are you kidding me?

Click

How Deep The Rabbit Hole Went

The software cleaned more than 500 files. Containing thousands of instances of the malicious code. There is no way I could have done that by hand.

I went to google and searched for random names from my directory… and clicked the links thinking that it was too good to be true.

It wasn’t… It worked perfectly.

I downloaded the plugin for each of my websites and it found instances of the malicious code in almost all of them.

Some more than others. But I was finally got rid of  Base64

You might think that your website is fine, that everything is humming along doing exactly what its supposed to be doing.

Like me you could be oblivious to the fact that a little robot program was able to get through your website’s defenses and lay its parasite eggs all over your code.

You’ve been warned.

Taji


3 Comments


  1. This is interesting and I have had a few similar experiences, this is why I only use Apple computers now.

    • Hello Liam,

      To clarify, the hack did not happen on my personal computer. This hack occurred on my hosting account which is located in the US. My hosted account uses Linux as an operating system which is a derivative of Unix. Unix is actually what OSX (the operating system for Apple Computers) is based on … so they share the same lineage so to speak.

      Using a Mac or a PC as a personal computer therefore is not the problem. Having said that, and for almost the first time in Computing history mew viruses and Trojan horse worms have been discovered (programmed by the Chinese government apparently) that have been able to infect MAC computers.

      So ultimately no one is safe from malicious code.

  2. Thank you so much for publishing your frustration and solution! Very informative and something I will check on for my websites.

    Bravo and congratulations!