If hackers don't get you, maybe Google will

If hackers don't get you, maybe Google will

Summary: Two weeks ago my personal blog (StorageMojo) was hacked. Turns out that Google can be a bigger problem than the hackers.

SHARE:
TOPICS: Security, Browser, Google
23

Two weeks ago my personal blog (StorageMojo) was hacked. Turns out that Google can be a bigger problem than the hackers. Here's how it works and tips on protecting yourself.

"Don't be evil" is a pretty low bar There’s been a lot of blog hacking going around. The criminals know that many folks with small websites and blogs are easy targets.

Break into a site, plant links, let Google to index it and all of a sudden millions of queries will be coming to the hacked sites. Put ads on the screen and see who bites.

What being hacked looked like It took a while to grok how deeply StorageMojo had been hacked.

First I got a note from my hosting company - something about a network daemon on my site - and I told them to take it down. Which they did.

Thought I was done.

But I wasn’t
 Then the CTO at Nexsan told me that Firefox was flagging StorageMojo for malware. Went into the StorageMojo files on WordPress and discovered some iframes that I hadn’t put there.

Pulled them out. Then I went through all my site files and discovered all kinds of folders that I hadn't put there. With names like Emma, Alexander and Jordan with links to sites I'd never heard of.

Trashed them. Continued looking and found images, scripts and other less obvious folders, that didn't belong. And the least used of my 3 websites had been totally replaced with hacker files. The other 2 sites worked fine.

Trashed them all. Loaded my backup copy of the site - you have one, right? - and I was back in business.

Found the malicious code. Very professional. Replicated in several places. Language = ru, for Russian.

Thought I was done.

Here comes Google Upgraded to the latest version of WordPress. Failing to do so was probably my downfall. But to be safe I updated passwords - even though they probably hadn't been hacked - enabled secure SFTP on my FTP client - the software that uploads files to the host - and more.

Thought I was done.

Wrong again.


Getting rid of the hacked files wasn’t the end of it
 A week later my hosting company notified me that the load on my server was excessive and they’d disabled StorageMojo. I make money off StorageMojo so that was bad news.

Yikes! Had I been hacked again? DDOS attack?

But this time I felt like I knew what to do. Wrong again.

In short order I brought up my SFTP client, my tracking site and the Dreamhost webpanel. I tossed a new index.html file into the site folder to let people know that the problem was getting addressed.

Google post-hack problem 1 All the hacked files were gone. Google had spidered the site after that but they still had the links in their search results.

So the Sri Lankan looking for Tamil porn videos was coming to StorageMojo for a non-existant page and getting a "System Error" message - instead of a low overhead static 404 page. And that was killing the virtual server's performance.

After a few hours the Google referral traffic declined and my hosting company put StorageMojo back up - now serving up an StorageMojo page from cache that says "No articles found." Much lighter.

Google post-hack problem 2 Then I get a note from Google about the 3rd site I host - an online brochure for a friend's small business. I'd cleaned it at the same time I did StorageMojo.

Removal from Google's index

Dear site owner or webmaster of . . . ,

While we were indexing your webpages, we detected that some of your pages were using techniques that are outside our quality guidelines, which can be found here: http://www.google.com/webmasters/guidelines.html. This appears to be because your site has been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.

The following are some example URLs from your site:

[removed]

In order to preserve the quality of our search engine, we have temporarily removed some of your webpages from our search results. Currently pages . . . are scheduled to be removed for at least 30 days.

We would prefer to have your pages in Google's index. If you wish to be reincluded, please correct or remove all pages (may not be limited to the examples provided) that are outside our quality guidelines. One potential remedy is to contact your web host technical support for assistance. For more information about security for webmasters, see http://googlewebmastercentral.blogspot.com/2007/09/quick-security-checklist-for-webmasters.html.

When you are ready, please visit https://www.google.com/webmasters/tools/reinclusion?hl=en to learn more and submit your site for reconsideration.

Sincerely, Google Search Quality Team

A very nice note. So I went to the webmaster site, filled out the form, explained what had happened and was informed that it could take 4-6 weeks to get the site indexed again.

4-6 weeks!?! If that was an e-commerce site I'd be out of business! I know the web is a big place - but Google is a big company with a monopoly on search. They need to do better.

Some tips on site security Everybody talks about security . . . . Here's my suggestions based on this experience and research.

  • Noticed that the Dreamhost web management system doesn’t make new passwords easy - password management is spread across several different tools - which guarantees that people won’t change them very often. I suspect this is generally true across hosting companies. But at least make sure you have tough passwords.
  • Read up on security. A couple of good sites are Blog Security and Stop Badware. Google's checklist above is also helpful.
  • Best Google advice:

    SSH and SFTP should be used for data transfer, rather than plain text protocols such as telnet or FTP. SSH and SFTP use encryption and are much safer. For this and many other useful tips, check out StopBadware.org's Tips for Cleaning and Securing Your Website.

  • Inspect your site files and/or logs regularly. The bogus files were more recent than virtually anything else on my sites, making them easier to find when looked for by date.

The Storage Bits take I now know I will never be done. The rest of you with blogs should learn by my misadventure.

The biggest surprise is that there are many things that can be done to make sites harder, but they are not the defaults. You have to do some research and sometimes some configuration.

That is wrong. Other than general exhortations to update software hosting companies don't make it easy to manage security. Not many consumers are going to dig into log files every couple of days.

How about offering to email a summary of site changes every day?

There are many security suggestions but very little empirical data on what really works. While keeping current is priority 1, what should priority 2 be? And 3?

Google is *trying* to be helpful - but has room to improve. Why am I still getting hits for stuff that was removed 2 weeks ago? They have an awesome power to kill people's businesses through unresponsiveness.

How about "Don't be evil or slow" for a motto?

Comments welcome, of course.

Topics: Security, Browser, Google

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • Just a few google hacks is all it takes to return sites

    Example: "intitle:index of" passwords modified

    Your site shouldn't return anything for a google on "intitle:index of" and inurl:<your domain name>

    As for sftp (ssh), be sure that your server's /etc/sshd_config is set for:

    PermitRootLogin no
    UsePAM no
    ChallengeResponseAuthentication no
    Port 62314 #example of some non-standard port

    Create a publickey with ssh-keygen for passwordless login.

    I spent last reviewing my logs to find that there appears to be a new 'distributed' ssh brute force attack method which will fly below 'the radar' of most intrusion detection systems.

    DenyHosts is installed on my servers but this distributed brute-force technique relies on sending each successive login attempt from a different ip separated by about 30 seconds or more.

    As such Denyhosts fails to sense the attack because it doesn't see just 'one ip' failing 5 times.

    Follow the above ssh configuration changes to secure your system from any brute-force attack--the only way.

    Also, if you run an unmanaged site, and it runs on any Linux Distro, please install AppArmor and mod-apparmor Apache module (AppArmor is standard equipment in openSUSE 10.3 and Ubuntu 8.04).

    Here's an Ars Technica article that hightlights last weeks ssh attacks:

    http://arstechnica.com/news.ars/post/20080515-strong-passwords-no-panacea-as-ssh-brute-force-attacks-rise.html

    Be safe!
    D T Schmitz
  • FTPS is also a very viable solution

    Sorry to hear about your hacking incident, it sounds painful and it reminds me to do a site backup now.

    There are also free FTPS servers and free FTPS clients like FileZilla. FTPS is FTP over SSL or TLS.
    http://www.formortals.com/Default.aspx?tabid=36&EntryID=39


    George Ou
    http://www.ForMortals.com
    georgeou
  • RE: If hackers don't get you, maybe Google will

    If you're using Linux hosting, it should be pretty easy to write a script to email you when your files change.
    rrubr@...
  • So Robin, do you know exactly HOW you were hacked!?

    If you don't, you really should have made efforts to find out. Simply updating Wordpress to the latest version may stop the attack vector, then again it may not...

    I hope you didn't delete all your log files and infected web files so you can do a proper investigation into how this happened.
    Scrat
  • "Don't Be Evil" Expired the second they went public...

    They can say it, but it don't mean squat any more. Now days Google has to answer to shareholders, not end-users. This has been pretty clear as of late.

    The Google we all knew died the second the first share was sold.
    BitTwiddler
  • Google has a monopoly on search?

    I'm sure they'll be glad to hear THAT. Is this just another case of ZDNet's typical modus exagerrandi, or do you really believe it? Does monopoly now mean "a large share I don't approve of because I'm so morally superior"?
    Vesicant
    • The Linux fanboys...

      The Linux fanboys use the same logic to assert that the only reason their O/S can't make ground is because Microsoft is the evil monopolist as well...
      Marty R. Milette
      • Right but the difference

        is that Microsoft was found to have a monopoly in court. Several requirements must be meet before a monopoly can be declared (start here http://www.usdoj.gov/atr/foia/divisionmanual/ch2.htm).

        Even then, unless the monopoly abuses it's position, it is not illegal.
        Real World
        • But they were not a monopoly

          when they were using these tactics over the years to expand their sales, only after they went to court, so it must have been OK up until that point, the point at which they were [i]proven[/i] to be a monopoly.

          So we must wait until Google goes to court before anyone can call them "a monolpoy", correct?
          GuidingLight
          • Yes, you're correct

            Well, no you're not. Ok, both.

            Yes, we have to wait until Google is legally declared a monopoly before we can christen them one. Otherwise, we can call them anything we want. I kind of like the Campbell's Soup Kids or Parliament...

            And no, you don't have to be a legally declared monopoly for your tactics to be both unethical and illegal. However, there are different standards for a monopoly. Look at the link I posted above.
            Real World
      • Good Point...nt

        nt
        ItsTheBottomLine
  • The nature of the situation...

    ...is that enormous economical power is concentrated in the hands of very few, by means of a dependency relationship. The European Union is correct in finding this dependency to be undesirable, however, the solution, a central government controlled search engine, seems to suffer from the same potential for problems.

    Society is usually best served with distributed, decentralized systems organized under a central initiative, because it reduces dependency and distributes power to the 'grass roots'. Yet it would perhaps be hard to envision such a system that can work (I haven't thought about it in any case). The most important thing though, would be to keep Big Private Money out of it, as owners of the system.
    kouzen
  • The reason is mentioned in your post

    [i]Google is a big company with a monopoly on search. They need to do better[/i]

    Actually, they do not.

    When you are the monopoly, there is no need or reason to do better, which means they will not.
    GuidingLight
  • Umm...

    How was it Google's fault that your server was misconfigured to return a "System Error" message rather than a 404?
    JDThompson
  • Blame Google? Blame yourself.

    I understand that this whole deal was pretty frustrating for you.

    However, I don't think it's fair for you to be upset with Google. I'll admit, I'm not economist. I do not have my MBA.

    But the poor security you had in place for your websites (you were using unsecured FTP? What did you expect?) was nobody's fault but your own. You brought this upon yourself. I don't know what fees you pay Google on a monthy or yearly basis. I'm not sure what percentage of Google you personally own through stock. My guess, in either case, is zero. Not to be rude, or to disrespect your web presece, but you provide so little to google, that it can be rounded to nothing. Asking them to expediate the process of getting your sites back onto thier system after you've muddled them up with your own lack of forsight is a little absurd, no? Google doesn't owe you anything. I can't imagine they're going to hire another 200 people to deal with security-impaired webmasters who offer nothing to them in return.

    So, in conclusion, shame on you. Shame on you for looking down on Google from your high horse, crying to the world on your ZDNet blog about how google isn't doing enough for you. Thank your lucky stars that they didn't blacklist your sites because they know that the person in charge of them is unable to mitigate even the most basic security holes which have been COMMON KNOWLEDGE for well over a decade. Thank your lucky stars that they're willing to accomidate you within a month even though the cost of doing so while maintaining quality control will undoubtedly greatly outweigh any revenue you will ever dream of generating for them. You are a charity case. You are a beggar. Beggars can not be choosers. Do not look this gift horse in the mouth. Learn to secure your webspace. Shame on you. Shame on you.
    I_am_windex007@...
    • Blame Google? Why not?

      Shame on you too for working @ Google, or doing profit from them. You clearly demonstrate that.

      ANY monopoly is bad, really bad, and Google is NOT different!
      Gradius2
  • Who to blame???

    Obviously Robin is not BLAMING Google for doing wrong here. In fact he commends them often on a lot of good they are doing. But, there are obvious places for improvement.

    I run a few web sites. One of them was setup wrong and Google indexed something that I didn't want indexed. It took weeks to remove the cached pages from Google's servers. That was maddening. This should be able to be achieved in minutes. We are using fast computers these days aren't we? Then to make matters worse, even though I took the links down and Google's cache had finally cleared searching still returned results to pages that didn't exist any more. It took over 6 months for those to go away.

    It should be plain and simple, if an owner of a web site requests removal of indexed links, including snapshots, it should be fast and efficient. Not like it is today. That's just plain laziness on Google's part. And, a real lack of support. With all the revenue they generate, they could afford at least a little more effort in this area. While I have no reason to dislike that they do cache and hold data for a very very long time, I even use that feature so it's good. But, if requested removed by the rightful owner, it should go away quickly and completely.
    Narg
    • Still Robin.

      I think in Robin's case, a hacked site, I think 4 to 6 weeks is maybe a good idea even if they can do it in minutes.

      I mean, not to be rude, but Robin brought this upon himself. From Googles perspective, what are his sites? They are sites that were hacked because the person who should have been taking steps to ensure that his site didn't get hacked, didn't. I don't have any statistical evidence, but it leads to follow that if a site gets hacked, that was operated by somebody who was unable to secure it in the first place, subsequent hacks on the same site, especially within 4 to 6 weeks are probably VERY likely, while the webmaster who has already proven himself to be inept bungles around trying to fix things.

      In your case, Scott, laziness on their part? Maybe. But once again, remember, you get what you pay for. And since your paying nothing, and getting something, you're still getting a heck of a deal. Can they improve on some things? Absolutely. Should they? Yes. Do they have to? Do they owe it to you? NO. Perhaps my biggest issue with this whole discussion is the tone of entitlement that everyone seems to have. Google owes you exactly what you owe me. Not a thing.
      I_am_windex007@...
  • RE: If hackers don't get you, maybe Google will

    For one, I don't work for google. For two, what do you think Google is? What do you think Google owes you? It's like going into a McDonalds, demanding fries as you explain to the guy at the till that you will not be paying for them. Why on Earth would they do whatever you tell them to, when you don't pay them? They're a business, not a charity. Where do you work? Can I get free services from them? Can I walk in and start telling them to run their business and not even be a customer of any kind? I doubt it.

    And despite this fact, they are still willing to invest their resources to get these sites re-indexed. Maybe it won't be as soon as he was hoping. Tough cookies. These are the consequences of having piss-poor security for your websites. I maintain that google has done absolutely nothing wrong.
    I_am_windex007@...
    • I agree 100%

      I completely agree with I_am_windex007. What does Google owe you. Google provides a free service to you in terms as indexing goes. They do not have to index your sites if they do not want to because you do not pay for it. Another thing is you should have made sure your site is secure but are probably ignorant to the subject of security. With your attitude getting hacked suited you well in the sense that now you learned something. I believe that hackers provide a good service. Look at this way... It could have been a lot worst and also what you should have done is kept all the data and log files and posted it so maybe others can learn from your mistakes. Do not point the finger at anyone else when you are the one not up to date on the subject. Also your sites can't be that important to you or else this would have never happened.
      floridait@...