Matthew 1, Hackers 0

UPDATE: Here is a good plugin to help you change and manage your wp-admin blog details. Also see this useful blog post “11 Vital Tips and Hacks to Protect Your WordPress Admin Area“.

So my site was hacked. What a frustrating experience. I had to live with that rather melodramatic Google malware message splashed across my blog, making you think that visiting it would result in an axe in your head.

It wasn’t a particularly exciting or dangerous hack. What the hackers did was insert some nasty code which effectively created an iframe, allowing them to generate hidden links on my blog to certain sites. It’s part of a worldwide denial-of-service hack aimed at bringing down major sites, rather than this here little blog or the users that read it. The links were at some point pointing to Yahoo and Bing in the same vein as the denial-of-service hack emanating from Georgia/Russia that hit Twitter this week.

What I did to kill the hack:
1. I checked all my wordpress php pages for foreign code. I’d view source my blog regularly to check for unsolicited iframes. I found two bits of code in my header (about eight lines of fairly hectic PHP starting with “wp_remote_fopen procedure”) and then a second bit of code on my main index page (the illegal iframe, calling up a dodgy site called “web-analizer.****”).

2. After I first removed the hack code, it came back again within 6 hours. I then disabled plugins that I had installed in the last 3 months, I changed and strengthened my blog password, database passwords and ftp passwords. (To one of those long, unpronounceable ones).

3. I let my ISP know, who then ran a virus checker (as a precaution) and generated FTP logs for me so I could see who had been accessing my account. I also changed my FTP permissions to “deny all:all”, which blocked everyone except me. Die hacker, die!

Why I’m disappointed with Google
Instead of contacting me or at least automatically generating an email to me warning me about the hack on my blog and then giving me an opportunity to take action — Google splashed the confusing malware message across the site giving users the impression it would somehow give their computers swine flu. Even Twitter then blacklisted links to my blog, replacing my blog url with “http://[ unsafe link ]”. As a Google Webmaster user, it would have been easy for Google to warn me. When I did submit reconsideration, Google took ages to get back to me and reconsider what is clearly a legitimate site. Hmmmmmm, Google, hmmmmm…

Comments (4)

  1. Dominic White wrote::

    What makes you think it was part of a DDoS attempt and not the usual affiliate scamming? Care to post the code?

    BTW, the usual way these attacks are spreading are through wordpress vulnerabilities. Exploits in wordpress are fairly regularly released, and you should make sure you patch/upgrade your wordpress (and plugins) regularly or move to another, less targeted blogging platform.

    As for the Google links, they technically just get the data from and it wasn’t necessarily Google who reported you. Either way, putting the warning up seems to make sense to me, as visiting your blog when it was hacked could have resulted in people’s computers being infected with malware, or some other form of badness (or contributing to the DDoS). Their review cycle should possibly be faster and the notification better, but they still need to warn users visiting while you fix it.

    The dangers of a homogeneous world.

    Friday, August 14, 2009 at 11:26 am #
  2. Dominic White wrote::

    Ok, it appears Google did report you

    Would still like to see the code they injected if you’re willing to share.

    Friday, August 14, 2009 at 11:31 am #
  3. matt wrote::

    @Dominic White Why would the hack link to reputable sites like Bing and Yahoo if it was an affiliate/SEO scam? But admittedly also my sense of acute sense of melodrama made me connect it to the other DDoS attempts happening worldwide.

    yeah, Google were the ones that reported me. I’ll email u the code. Don’t want to post it here.

    Friday, August 14, 2009 at 11:48 am #
  4. WPBeginner wrote::

    Sorry to hear about your experience Matt. We are glad that you found our article helpful.

    Tuesday, August 18, 2009 at 12:41 am #