Two weeks ago my personal blog (StorageMojo) was hacked. Turns out that Google can be a bigger problem than the hackers. Here's how it works and tips on protecting yourself.
"Don't be evil" is a pretty low bar
There’s been a lot of blog hacking going around. The criminals know that many folks with small websites and blogs are easy targets.
Break into a site, plant links, let Google to index it and all of a sudden millions of queries will be coming to the hacked sites. Put ads on the screen and see who bites.
What being hacked looked like
It took a while to grok how deeply StorageMojo had been hacked.
First I got a note from my hosting company - something about a network daemon on my site - and I told them to take it down. Which they did.
Thought I was done.
But I wasn’t
Then the CTO at Nexsan told me that Firefox was flagging StorageMojo for malware. Went into the StorageMojo files on WordPress and discovered some iframes that I hadn’t put there.
Pulled them out. Then I went through all my site files and discovered all kinds of folders that I hadn't put there. With names like Emma, Alexander and Jordan with links to sites I'd never heard of.
Trashed them. Continued looking and found images, scripts and other less obvious folders, that didn't belong. And the least used of my 3 websites had been totally replaced with hacker files. The other 2 sites worked fine.
Trashed them all. Loaded my backup copy of the site - you have one, right? - and I was back in business.
Found the malicious code. Very professional. Replicated in several places. Language = ru, for Russian.
Thought I was done.
Here comes Google
Upgraded to the latest version of WordPress. Failing to do so was probably my downfall. But to be safe I updated passwords - even though they probably hadn't been hacked - enabled secure SFTP on my FTP client - the software that uploads files to the host - and more.
Thought I was done.
Getting rid of the hacked files wasn’t the end of it
A week later my hosting company notified me that the load on my server was excessive and they’d disabled StorageMojo. I make money off StorageMojo so that was bad news.
Yikes! Had I been hacked again? DDOS attack?
But this time I felt like I knew what to do. Wrong again.
In short order I brought up my SFTP client, my tracking site and the Dreamhost webpanel. I tossed a new index.html file into the site folder to let people know that the problem was getting addressed.
Google post-hack problem 1
All the hacked files were gone. Google had spidered the site after that but they still had the links in their search results.
So the Sri Lankan looking for Tamil porn videos was coming to StorageMojo for a non-existant page and getting a "System Error" message - instead of a low overhead static 404 page. And that was killing the virtual server's performance.
After a few hours the Google referral traffic declined and my hosting company put StorageMojo back up - now serving up an StorageMojo page from cache that says "No articles found." Much lighter.
Google post-hack problem 2
Then I get a note from Google about the 3rd site I host - an online brochure for a friend's small business. I'd cleaned it at the same time I did StorageMojo.
Removal from Google's index
Dear site owner or webmaster of . . . ,
While we were indexing your webpages, we detected that some of your pages were using techniques that are outside our quality guidelines, which can be found here: http://www.google.com/webmasters/guidelines.html. This appears to be because your site has been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.
The following are some example URLs from your site:
In order to preserve the quality of our search engine, we have temporarily removed some of your webpages from our search results. Currently pages . . . are scheduled to be removed for at least 30 days.
We would prefer to have your pages in Google's index. If you wish to be reincluded, please correct or remove all pages (may not be limited to the examples provided) that are outside our quality guidelines. One potential remedy is to contact your web host technical support for assistance. For more information about security for webmasters, see http://googlewebmastercentral.blogspot.com/2007/09/quick-security-checklist-for-webmasters.html.
When you are ready, please visit https://www.google.com/webmasters/tools/reinclusion?hl=en to learn more and submit your site for reconsideration.
Google Search Quality Team
A very nice note. So I went to the webmaster site, filled out the form, explained what had happened and was informed that it could take 4-6 weeks to get the site indexed again.
4-6 weeks!?! If that was an e-commerce site I'd be out of business! I know the web is a big place - but Google is a big company with a monopoly on search. They need to do better.
Some tips on site security
Everybody talks about security . . . . Here's my suggestions based on this experience and research.
- Noticed that the Dreamhost web management system doesn’t make new passwords easy - password management is spread across several different tools - which guarantees that people won’t change them very often. I suspect this is generally true across hosting companies. But at least make sure you have tough passwords.
- Read up on security. A couple of good sites are Blog Security and Stop Badware. Google's checklist above is also helpful.
- Best Google advice:
SSH and SFTP should be used for data transfer, rather than plain text protocols such as telnet or FTP. SSH and SFTP use encryption and are much safer. For this and many other useful tips, check out StopBadware.org's Tips for Cleaning and Securing Your Website.
- Inspect your site files and/or logs regularly. The bogus files were more recent than virtually anything else on my sites, making them easier to find when looked for by date.
The Storage Bits take
I now know I will never be done. The rest of you with blogs should learn by my misadventure.
The biggest surprise is that there are many things that can be done to make sites harder, but they are not the defaults. You have to do some research and sometimes some configuration.
That is wrong. Other than general exhortations to update software hosting companies don't make it easy to manage security. Not many consumers are going to dig into log files every couple of days.
How about offering to email a summary of site changes every day?
There are many security suggestions but very little empirical data on what really works. While keeping current is priority 1, what should priority 2 be? And 3?
Google is *trying* to be helpful - but has room to improve. Why am I still getting hits for stuff that was removed 2 weeks ago? They have an awesome power to kill people's businesses through unresponsiveness.
How about "Don't be evil or slow" for a motto?
Comments welcome, of course.