ie8 fix

Storage Bits

Robin Harris
Home / News & Blogs / Storage Bits

If hackers don't get you, maybe Google will

By | May 18, 2008, 2:29pm PDT

Summary: Two weeks ago my personal blog (StorageMojo) was hacked. Turns out that Google can be a bigger problem than the hackers. Here’s how it works and tips on protecting yourself. “Don’t be evil” is a pretty low bar There’s been a lot of blog hacking going around. The criminals know that many folks with small websites and [...]

Two weeks ago my personal blog (StorageMojo) was hacked. Turns out that Google can be a bigger problem than the hackers. Here’s how it works and tips on protecting yourself.

“Don’t be evil” is a pretty low bar
There’s been a lot of blog hacking going around. The criminals know that many folks with small websites and blogs are easy targets.

Break into a site, plant links, let Google to index it and all of a sudden millions of queries will be coming to the hacked sites. Put ads on the screen and see who bites.

What being hacked looked like
It took a while to grok how deeply StorageMojo had been hacked.

First I got a note from my hosting company - something about a network daemon on my site - and I told them to take it down. Which they did.

Thought I was done.

But I wasn’t
Then the CTO at Nexsan told me that Firefox was flagging StorageMojo for malware. Went into the StorageMojo files on WordPress and discovered some iframes that I hadn’t put there.

Pulled them out. Then I went through all my site files and discovered all kinds of folders that I hadn’t put there. With names like Emma, Alexander and Jordan with links to sites I’d never heard of.

Trashed them. Continued looking and found images, scripts and other less obvious folders, that didn’t belong. And the least used of my 3 websites had been totally replaced with hacker files. The other 2 sites worked fine.

Trashed them all. Loaded my backup copy of the site - you have one, right? - and I was back in business.

Found the malicious code. Very professional. Replicated in several places. Language = ru, for Russian.

Thought I was done.

Here comes Google
Upgraded to the latest version of WordPress. Failing to do so was probably my downfall. But to be safe I updated passwords - even though they probably hadn’t been hacked - enabled secure SFTP on my FTP client - the software that uploads files to the host - and more.

Thought I was done.

Wrong again.


Getting rid of the hacked files wasn’t the end of it
A week later my hosting company notified me that the load on my server was excessive and they’d disabled StorageMojo. I make money off StorageMojo so that was bad news.

Yikes! Had I been hacked again? DDOS attack?

But this time I felt like I knew what to do. Wrong again.

In short order I brought up my SFTP client, my tracking site and the Dreamhost webpanel. I tossed a new index.html file into the site folder to let people know that the problem was getting addressed.

Google post-hack problem 1
All the hacked files were gone. Google had spidered the site after that but they still had the links in their search results.

So the Sri Lankan looking for Tamil porn videos was coming to StorageMojo for a non-existant page and getting a “System Error” message - instead of a low overhead static 404 page. And that was killing the virtual server’s performance.

After a few hours the Google referral traffic declined and my hosting company put StorageMojo back up - now serving up an StorageMojo page from cache that says “No articles found.” Much lighter.

Google post-hack problem 2
Then I get a note from Google about the 3rd site I host - an online brochure for a friend’s small business. I’d cleaned it at the same time I did StorageMojo.

Removal from Google’s index

Dear site owner or webmaster of . . . ,

While we were indexing your webpages, we detected that some of your pages were using techniques that are outside our quality guidelines, which can be found here: http://www.google.com/webmasters/guidelines.html. This appears to be because your site has been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.

The following are some example URLs from your site:

[removed]

In order to preserve the quality of our search engine, we have temporarily removed some of your webpages from our search results. Currently pages . . . are scheduled to be removed for at least 30 days.

We would prefer to have your pages in Google’s index. If you wish to be reincluded, please correct or remove all pages (may not be limited to the examples provided) that are outside our quality guidelines. One potential remedy is to contact your web host technical support for assistance. For more information about security for webmasters, see http://googlewebmastercentral.blogspot.com/2007/09/quick-security-checklist-for-webmasters.html.

When you are ready, please visit https://www.google.com/webmasters/tools/reinclusion?hl=en to learn more and submit your site for reconsideration.

Sincerely,
Google Search Quality Team

A very nice note. So I went to the webmaster site, filled out the form, explained what had happened and was informed that it could take 4-6 weeks to get the site indexed again.

4-6 weeks!?! If that was an e-commerce site I’d be out of business! I know the web is a big place - but Google is a big company with a monopoly on search. They need to do better.

Some tips on site security
Everybody talks about security . . . . Here’s my suggestions based on this experience and research.

  • Noticed that the Dreamhost web management system doesn’t make new passwords easy - password management is spread across several different tools - which guarantees that people won’t change them very often. I suspect this is generally true across hosting companies. But at least make sure you have tough passwords.
  • Read up on security. A couple of good sites are Blog Security and Stop Badware. Google’s checklist above is also helpful.
  • Best Google advice:
    SSH and SFTP should be used for data transfer, rather than plain text protocols such as telnet or FTP. SSH and SFTP use encryption and are much safer. For this and many other useful tips, check out StopBadware.org’s Tips for Cleaning and Securing Your Website.
  • Inspect your site files and/or logs regularly. The bogus files were more recent than virtually anything else on my sites, making them easier to find when looked for by date.

The Storage Bits take
I now know I will never be done. The rest of you with blogs should learn by my misadventure.

The biggest surprise is that there are many things that can be done to make sites harder, but they are not the defaults. You have to do some research and sometimes some configuration.

That is wrong. Other than general exhortations to update software hosting companies don’t make it easy to manage security. Not many consumers are going to dig into log files every couple of days.

How about offering to email a summary of site changes every day?

There are many security suggestions but very little empirical data on what really works. While keeping current is priority 1, what should priority 2 be? And 3?

Google is *trying* to be helpful - but has room to improve. Why am I still getting hits for stuff that was removed 2 weeks ago? They have an awesome power to kill people’s businesses through unresponsiveness.

How about “Don’t be evil or slow” for a motto?

Comments welcome, of course.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Storage Bits”

Topics

Google Inc., Site, Hosting Company, Hacker, StorageMojo, Blogging, Security, Internet, Robin Harris

Robin Harris has been messing with computers for over 30 years and selling and marketing data storage for over 20 in companies large and small.

Disclosure

Robin Harris

Robin Harris is a president of TechnoQWAN, a consulting and analyst firm in northern Arizona. He also writes StorageMojo.com, a blog which accepts advertising from companies in the storage industry, and has a 25 year history with IT vendors. He has many industry contacts, many of whom are friends and all of whom he has opinions about. Robin has relationships with many companies in the technology industry. Every company he writes about may have sought to influence his opinion through carefully-crafted marketing messages and self-serving white papers, gifts ranging from desk calendars, t-shirts, lunches and trips as well as analyst or consulting assignments. He also invests in some technology companies. He may accept payment for services in stock as well. Robin discloses financial investments in or client relationships with companies named in Storage Bits. To help readers sort out the gold from the dross in his writings, Robin tries to communicate his reasons as clearly as he can. If you agree, you are intelligent and discerning. If you disagree, well, you disagree. In all cases, Robin encourages readers to subject everything they read, see or hear on the internet or from politicians to some simple questions: * What assumptions are implicit in the world view and judgments of the author? * What, if any, is the factual basis for the opinions the author expresses? * Is it reasonable, logical and clear? Your critical faculties: use ‘em or lose ‘em!

Biography

Robin Harris

Harris has been messing with computers for over 30 years and selling and marketing data storage for over 20 in companies large and small. He introduced a couple of multi-billion dollar storage products (DLT, the first Fibre Channel array) to market, as well as a many smaller ones. Earlier he spent 10 years marketing servers and networks. After leaving corporate life he founded TechnoQWAN, a consulting and analyst firm. He also developed StorageMojo into one of the top storage industry blogs.

Robin writes, consults, coaches and lives among the mountains of northern Arizona.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
23
Comments
Add Your Opinion

Join the conversation!

Just In

amen
catseverywhere@... 16th Jul 2008
And top it all off with "scroogle scraper" on the client side:

http://www.scroogle.org/cgi-bin/scraper.htm
View in thread
0 Votes
+ -
Just a few google hacks is all it takes to return sites
D T Schmitz 18th May 2008
Example: "intitle:index of" passwords modified

Your site shouldn't return anything for a google on "intitle:index of" and inurl:

As for sftp (ssh), be sure that your server's /etc/sshd_config is set for:

PermitRootLogin no
UsePAM no
ChallengeResponseAuthentication no
Port 62314 #example of some non-standard port

Create a publickey with ssh-keygen for passwordless login.

I spent last reviewing my logs to find that there appears to be a new 'distributed' ssh brute force attack method which will fly below 'the radar' of most intrusion detection systems.

DenyHosts is installed on my servers but this distributed brute-force technique relies on sending each successive login attempt from a different ip separated by about 30 seconds or more.

As such Denyhosts fails to sense the attack because it doesn't see just 'one ip' failing 5 times.

Follow the above ssh configuration changes to secure your system from any brute-force attack--the only way.

Also, if you run an unmanaged site, and it runs on any Linux Distro, please install AppArmor and mod-apparmor Apache module (AppArmor is standard equipment in openSUSE 10.3 and Ubuntu 8.04).

Here's an Ars Technica article that hightlights last weeks ssh attacks:

http://arstechnica.com/news.ars/post/20080515-strong-passwords-no-panacea-as-ssh-brute-force-attacks-rise.html

Be safe!
0 Votes
+ -
FTPS is also a very viable solution
georgeou 18th May 2008
Sorry to hear about your hacking incident, it sounds painful and it reminds me to do a site backup now.

There are also free FTPS servers and free FTPS clients like FileZilla. FTPS is FTP over SSL or TLS.
http://www.formortals.com/Default.aspx?tabid=36&EntryID=39


George Ou
http://www.ForMortals.com
0 Votes
+ -
RE: If hackers don't get you, maybe Google will
rrubr@... 18th May 2008
If you're using Linux hosting, it should be pretty easy to write a script to email you when your files change.
0 Votes
+ -
So Robin, do you know exactly HOW you were hacked!?
Scrat 19th May 2008
If you don't, you really should have made efforts to find out. Simply updating Wordpress to the latest version may stop the attack vector, then again it may not...

I hope you didn't delete all your log files and infected web files so you can do a proper investigation into how this happened.
0 Votes
+ -
"Don't Be Evil" Expired the second they went public...
BitTwiddler 19th May 2008
They can say it, but it don't mean squat any more. Now days Google has to answer to shareholders, not end-users. This has been pretty clear as of late.

The Google we all knew died the second the first share was sold.
0 Votes
+ -
Google has a monopoly on search?
Vesicant 19th May 2008
I'm sure they'll be glad to hear THAT. Is this just another case of ZDNet's typical modus exagerrandi, or do you really believe it? Does monopoly now mean "a large share I don't approve of because I'm so morally superior"?
0 Votes
+ -
The Linux fanboys...
Marty R. Milette 19th May 2008
The Linux fanboys use the same logic to assert that the only reason their O/S can't make ground is because Microsoft is the evil monopolist as well...
0 Votes
+ -
Right but the difference
Real World 19th May 2008
is that Microsoft was found to have a monopoly in court. Several requirements must be meet before a monopoly can be declared (start here http://www.usdoj.gov/atr/foia/divisionmanual/ch2.htm).

Even then, unless the monopoly abuses it's position, it is not illegal.
0 Votes
+ -
But they were not a monopoly
GuidingLight 19th May 2008
when they were using these tactics over the years to expand their sales, only after they went to court, so it must have been OK up until that point, the point at which they were proven to be a monopoly.

So we must wait until Google goes to court before anyone can call them "a monolpoy", correct?
0 Votes
+ -
Yes, you're correct
Real World 19th May 2008
Well, no you're not. Ok, both.

Yes, we have to wait until Google is legally declared a monopoly before we can christen them one. Otherwise, we can call them anything we want. I kind of like the Campbell's Soup Kids or Parliament...

And no, you don't have to be a legally declared monopoly for your tactics to be both unethical and illegal. However, there are different standards for a monopoly. Look at the link I posted above.
0 Votes
+ -
Good Point...nt
ItsTheBottomLine 19th May 2008
nt
0 Votes
+ -
The nature of the situation...
kouzen 19th May 2008
...is that enormous economical power is concentrated in the hands of very few, by means of a dependency relationship. The European Union is correct in finding this dependency to be undesirable, however, the solution, a central government controlled search engine, seems to suffer from the same potential for problems.

Society is usually best served with distributed, decentralized systems organized under a central initiative, because it reduces dependency and distributes power to the 'grass roots'. Yet it would perhaps be hard to envision such a system that can work (I haven't thought about it in any case). The most important thing though, would be to keep Big Private Money out of it, as owners of the system.
0 Votes
+ -
The reason is mentioned in your post
GuidingLight 19th May 2008
Google is a big company with a monopoly on search. They need to do better

Actually, they do not.

When you are the monopoly, there is no need or reason to do better, which means they will not.
0 Votes
+ -
Umm...
JDThompson 19th May 2008
How was it Google's fault that your server was misconfigured to return a "System Error" message rather than a 404?
0 Votes
+ -
Blame Google? Blame yourself.
I_am_windex007@... 19th May 2008
I understand that this whole deal was pretty frustrating for you.

However, I don't think it's fair for you to be upset with Google. I'll admit, I'm not economist. I do not have my MBA.

But the poor security you had in place for your websites (you were using unsecured FTP? What did you expect?) was nobody's fault but your own. You brought this upon yourself. I don't know what fees you pay Google on a monthy or yearly basis. I'm not sure what percentage of Google you personally own through stock. My guess, in either case, is zero. Not to be rude, or to disrespect your web presece, but you provide so little to google, that it can be rounded to nothing. Asking them to expediate the process of getting your sites back onto thier system after you've muddled them up with your own lack of forsight is a little absurd, no? Google doesn't owe you anything. I can't imagine they're going to hire another 200 people to deal with security-impaired webmasters who offer nothing to them in return.

So, in conclusion, shame on you. Shame on you for looking down on Google from your high horse, crying to the world on your ZDNet blog about how google isn't doing enough for you. Thank your lucky stars that they didn't blacklist your sites because they know that the person in charge of them is unable to mitigate even the most basic security holes which have been COMMON KNOWLEDGE for well over a decade. Thank your lucky stars that they're willing to accomidate you within a month even though the cost of doing so while maintaining quality control will undoubtedly greatly outweigh any revenue you will ever dream of generating for them. You are a charity case. You are a beggar. Beggars can not be choosers. Do not look this gift horse in the mouth. Learn to secure your webspace. Shame on you. Shame on you.
0 Votes
+ -
Blame Google? Why not?
Gradius2 19th May 2008
Shame on you too for working @ Google, or doing profit from them. You clearly demonstrate that.

ANY monopoly is bad, really bad, and Google is NOT different!
0 Votes
+ -
Who to blame???
Narg 19th May 2008
Obviously Robin is not BLAMING Google for doing wrong here. In fact he commends them often on a lot of good they are doing. But, there are obvious places for improvement.

I run a few web sites. One of them was setup wrong and Google indexed something that I didn't want indexed. It took weeks to remove the cached pages from Google's servers. That was maddening. This should be able to be achieved in minutes. We are using fast computers these days aren't we? Then to make matters worse, even though I took the links down and Google's cache had finally cleared searching still returned results to pages that didn't exist any more. It took over 6 months for those to go away.

It should be plain and simple, if an owner of a web site requests removal of indexed links, including snapshots, it should be fast and efficient. Not like it is today. That's just plain laziness on Google's part. And, a real lack of support. With all the revenue they generate, they could afford at least a little more effort in this area. While I have no reason to dislike that they do cache and hold data for a very very long time, I even use that feature so it's good. But, if requested removed by the rightful owner, it should go away quickly and completely.
0 Votes
+ -
Still Robin.
I_am_windex007@... 19th May 2008
I think in Robin's case, a hacked site, I think 4 to 6 weeks is maybe a good idea even if they can do it in minutes.

I mean, not to be rude, but Robin brought this upon himself. From Googles perspective, what are his sites? They are sites that were hacked because the person who should have been taking steps to ensure that his site didn't get hacked, didn't. I don't have any statistical evidence, but it leads to follow that if a site gets hacked, that was operated by somebody who was unable to secure it in the first place, subsequent hacks on the same site, especially within 4 to 6 weeks are probably VERY likely, while the webmaster who has already proven himself to be inept bungles around trying to fix things.

In your case, Scott, laziness on their part? Maybe. But once again, remember, you get what you pay for. And since your paying nothing, and getting something, you're still getting a heck of a deal. Can they improve on some things? Absolutely. Should they? Yes. Do they have to? Do they owe it to you? NO. Perhaps my biggest issue with this whole discussion is the tone of entitlement that everyone seems to have. Google owes you exactly what you owe me. Not a thing.
0 Votes
+ -
RE: If hackers don't get you, maybe Google will
I_am_windex007@... 19th May 2008
For one, I don't work for google. For two, what do you think Google is? What do you think Google owes you? It's like going into a McDonalds, demanding fries as you explain to the guy at the till that you will not be paying for them. Why on Earth would they do whatever you tell them to, when you don't pay them? They're a business, not a charity. Where do you work? Can I get free services from them? Can I walk in and start telling them to run their business and not even be a customer of any kind? I doubt it.

And despite this fact, they are still willing to invest their resources to get these sites re-indexed. Maybe it won't be as soon as he was hoping. Tough cookies. These are the consequences of having piss-poor security for your websites. I maintain that google has done absolutely nothing wrong.
0 Votes
+ -
I agree 100%
floridait@... 20th May 2008
I completely agree with I_am_windex007. What does Google owe you. Google provides a free service to you in terms as indexing goes. They do not have to index your sites if they do not want to because you do not pay for it. Another thing is you should have made sure your site is secure but are probably ignorant to the subject of security. With your attitude getting hacked suited you well in the sense that now you learned something. I believe that hackers provide a good service. Look at this way... It could have been a lot worst and also what you should have done is kept all the data and log files and posted it so maybe others can learn from your mistakes. Do not point the finger at anyone else when you are the one not up to date on the subject. Also your sites can't be that important to you or else this would have never happened.
0 Votes
+ -
Google or search engines are less important today
PhilippeV 19th May 2008
When the author article says that if Google takes 4-6 weeks to reindex the site, it would take a commercial site completely out of business, I think he's wrong.
The web is mature now, and most people around the world do not depend widely on Google search results to find their favorite sites.
In fact, most of the referal that attracts people on a site and let them come back is made on social sites (with forums, articles, blogs...) and the site subscription services (including RSS and newsletters), so that people know when something interesting them has changed.
Looking into Google to find some information is much less common today. And even if a site gets unindexed in Google, it will have many other referals on other social sites, including those discussing about the temporary issues, and the solutions found by the webmaster.
Browsing the web blinfly just by starting from the automated results of a search engine (or the promoted commercial sites that rent a placement for some keywords), is just like opening a dictionnary at a random page to know what you'll eat for the diner.

Of course it may be useful to know that a site has been compromied, but that won't make the site completely out of business, because the site has itw own way to inform its users of what happened, and wht was done to solve an issue.

You think that when your mobile phone network is not working (due to some temporary outage) it will make customers so angry that they'll immediately leave and will make the phone company out of business? If so, this would be really to easy to kill any business by any competitor.

Thanks we have some resistance, but what will be important is not the fact that you've been compromized at one time: someone claiming that it is completely impossible on its website is certainly wrong, or he runs a site that is compeltely inaccessible. What is important is how the issues are managed and solved, and how (and how fast) the site collaborates with others (including its visitors) to solve the issue and avoid similar problems.

It should then be important that every provider of software solutions for webmasters also provide inormation about the known issues in their softwares, and how to upgrade. I think that even ZDNet (or CNet or similar large services) are not completely exempt of possible hacks at any time, but the strategy seems to have been to split the network into separate entities so that if one gets compromized, ir won't propagate easily to all others. Some services may then be closed temporarily for maintenance but this won't make the whole site completely and definitively out of business.

The danger comes when you attempt to make a site without strong surveillance but large contents that you can't monitor alone. IF your site is vital for your business, the best thing to do is to avoid making it monolithic. Have a way to make the site use several hosts and differnt ways to communicate with your visitors: separate your blogs from your forums for the public, have your referals or partners been hosted on another site and using other security systems. manage your newsletters and mailing lists elsewhere. Make sure that a significant part of your site does not depend of complex dynamic scripts. For example use your home page only as a redirector to your dynamic contents, so that you can still redirect it to another safe (uncompromized) place, and still be able to inform your visitors about what's happening (temporary closure of part of your services for maintenance) and when it will be repaired.

Sites that are easy to compromize have always been those hosting dynamic contents where users (or a few authorized persons) can contribute easily directly from within their browser. SQL injection is known to be easy on many websites featuring PHP pages depending on user account, and it allows modifying some significnat part of the site by hacking the user accounts. Beware of contact forms (between your users, or trying to contact you or your service providers).

So one good lesson to remember: don't depend only on the Google referal. In order to maintain yourself in business, make sure you develop good relationships with your visitors, allow them to create their own referals on their own personal pages and blogs. If you are accepting comments by visitors, make sure that you also oinclude a way for other visitors to signal you the offending messages or abuses.
Getting referenceing in Google is just a small part of your job. IF you just do that, you'll always have to pay, but you won't see your traffic explode as expected.

There's clearly a life for any website outside the generic Google web search engine, but if you do it correctly, you can be sure that Google will detect this "external life" and won't forget your job (in addition you will no longer have to pay so much for the placement, instead others will want to pay you to get their own referal on your site)... And Google (or Yahoo or MSN...) knows that and it's why they are also supporting their own platform to host social sites for the masses.
0 Votes
+ -
Scorched Earth approach to...
thx-1138_@... 20th May 2008
...ridding your system of Google is the way i looked
at things.

Google are to the public web experience as wolves in sheep's clothing are to sheep.

All the more reason to uninstall all google apps: BHOs and addons from your system. Having said that, and if you believe that is enough - think again! When i updated my preffered browser to ixqick @ www.ixquick.com i made a premeditated decision to also clear my registry of any residual empty keys and links in the registry (manually, mind you).

It seems still waters really do run deep, for what i discovered in my registry is that Google's *tentacles*
spread far and wide throughout the registry and i then
began systematically removing each and every reference. The entire process was not only time consuming but also tedious.

My advice to any person that wants to do away with
Google's pervasive presence on their system, is to
do likewise. Removing the items from the registry is, granted, a difficult task for the uninitiated. However, there are some very good free and commercial registry cleaners that *may*, if nothing else, help
alleviate any issues the hidden Google registry items
may cause.

Sincerely.
0 Votes
+ -
amen
catseverywhere@... 16th Jul 2008
And top it all off with "scroogle scraper" on the client side:

http://www.scroogle.org/cgi-bin/scraper.htm

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix