This past Saturday I visited my Google Webmaster Tools account to do a few checks on my own websites, as well the handful of client websites that I manage. There was a message from Google, “Notice of Suspected Hacking on…” The Google message contained one or two suspicious URLs from the website.
This set off all kinds of alarm bells in my head, so I immediately went to the site’s hosting account, looking for the file that Google mentioned in the suspicious URL. And there it was!
(For the sake of privacy of my client’s site, I won’t mention the exact name of the suspicious file – a Google search for the file shows which website was compromised – but I will tell you that it was a PHP file with a name made up of 5 random characters, e.g. bwrts.php)
I immediately downloaded the file to check it out. When I opened the file in my PHP editor, it was base64 encoded, which was basically a confirmation in my mind that this file served some or other dangerous purpose. Further investigation led me to find out that this file was part of a system to deliver fake AV trojans to visitors of other website.
Since I had my own experiences a year earlier with fake AV trojans, this really infuriated me!
I then scrutinized the rest of the website and found an unknown directory named “.files”. It contained a little more than 4,000 HTML files. I downloaded all of those and inspected a few of them. They seemed to be more or less identical, except that they were all named after recent popular search engine search terms, e.g. “super bowl 2011.html”.
The HTML files also contained links to other websites that appeared to have been compromised in the same way as mine, e.g. links like “www.website.com/bwrts.php?search-term”. I did a WHOIS lookup on those sites and discovered that they were all hosted by the same company that hosts my website! It was clear… those bastards had hacked into the host’s server and compromised a whole bunch of sites on the server!
I immediately contacted the website host and made them aware of the situation. A few hours later they assured me that everything had been cleaned up. I don’t really know what they did because I did all the cleaning on my website.
Cleaning Up The Hack
Here are the steps I followed to clean it all up:
- Deleted the PHP file referenced in the Google message.
- Looked for further unknown, oddly-named PHP files throughout the entire website. I found one tucked away in my /images folder and deleted that too.
- Deleted the entire .files folder that contained the bad HTML files.
- Disabled the master FTP account on the website (done from the Control Panel).
- Created a new FTP account for uploading or downloading files and created a complex password for that account that uses a mix of letters, numbers, and punctuation characters.
- Informed the website host of the situation to allow them to take action on their end.
- Submitted a reconsideration request to Google to inform them of what I found and what I did to fix it, and asked them confirm from their side that the site was no longer compromised.
I hope this never happens to you, and if it does, I hope my story helps you to rescue the situation fast.