As the Hacked Site Turns, Episodes 1 - 3 - Montana Webmaster

As the Hacked Site Turns, Episodes 1 – 3

A while back, was hacked. For a retail business, this is a tragedy. Because I don’t actively seek new clients, for me it’s an opportunity to tear down a site to find out how the hackers are working. Over the years, many of my clients have come to me because their site was hacked. This was my opportunity to help them understand the nature of this particular attack, because I could afford the time to work through the problem slowly. As I worked through the hack, I posted my findings on Facebook. Here is a compilation of the posts.

Post 1: HA, HA, MY WEBSITE HAS BEEN HACKED AKA, The Sky is Falling, The Sky is Falling

Don’t go to the site in case they have also added some nasty software. I will post a screenshot. I would say the guy is probably from Paraguay, but somehow, the name doesn’t fit. He wants some attention, so here you go dude.

This is the second time this has happened to this site on Modwest. It looks very much like the Secret Agent Moroccans that happened a couple of years ago. So, I have been busy moving people off Modwest, but I didn’t move my own site for old times sake. I guess it’s time to do it! Thanks guys for getting me off my complacency! But, first, I need to get some laundry started. Good thing the washer isn’t digital with a wireless connection or they could hack that too. (Click the link for a very interesting article about hacked appliances.)

Post 2: Actually, the Sky Isn’t Falling

Am I running around in a panic? Nope! I have a load of laundry started on a mechanical washing machine that can’t be hacked. And, I’ve taken a shower. And, I’ve made some posts, and checked my email on one account.

But, what did I do about the hacked site. Well, first I’m so glad that the hackers let me know through a Facebook message or I wouldn’t have been able to get a screenshot before the web host took the site down. So, as I promised, here is what my site looked like starting yesterday evening, based on the file date of the file that created this home page.

So, the first step was taking screenshots! I wouldn’t want you all to miss out on the fun!

Post 3: looking for suspicious activity in the site files

A little web soap opera for your reading enjoyment!

Before I deleted all the files off the web server, I took a look around. This does not seem to be as sophisticated a compromise as I have seen. Sophisticated or not, it was effective on the Modwest servers.

Notice the top asterisk. The file, dated yesterday, is index.html. Notice that the index.php is still there (the index.php file right below index.html). The hackers did not have to delete or change anything, just add their own file into my hosting space.

The reason the site was showing the bad page (see previous post on this topic) is because of how the web server works. Many of you will recall this from my classes. A web server doesn’t know which one of the hundreds or thousands of files that make up your website is the home page. So, you, or your software, has to have a particular file name for the home page; in this case the file is index. That is how the server knows which file is the home page.

But, different types of websites often have different extensions, so the server administrator gives the server a list of file names that might be the home page. In this case, index.html takes precedence over index.php. So, all the hackers had to do was trick the server into taking their index.html file. While the site is actually still intact, the home page shows as their page … see previous post for a screenshot!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.