Have You Checked Your Website Today?
Published on 11/11/2014
For additional information Click Here
Have you checked your website today?
Part of my morning routine is to check on the stats for the Nove-Noga website using the Google Webmaster Tools. Over time, I have seen a few strange errors marked as well as the few where I made a mistake. Sometimes I have wondered if Google wasn’t just making stuff up just to see if I am paying attention.
Today I found a new one. The link was entirely foreign to me so I went probing deeper into the situation. Given the structure of the link and the apparent target URL, I knew that it wasn’t one of mine. Unfortunately, I marked it as fixed before I made a note of the link in question. Usually Google Webmaster Tools tells me where the link was found. That makes it a lot easier to find and fix. Today was different.
I opened the page at Nove-Noga and right clicked to see the source code. I couldn’t see any problems so I went to my FileZilla tool. Imagine my surprise when I saw that every HTML page except the Index.html had been changed on 11/9/2014.
*Note: For those who are paying attention, that was the day Before I actually started back to work.*
Going to one of the changed pages, I found that a line had been added to my page in the form of a new div element inserted into the body close tag. It was designed to be invisible. What it did was add an invisible list of links to the bottom of my web page. Effectively, this hack is providing numerous backlinks to the pages in question.
One cue to the problem was an extension to the bottom of my page. The new links were not visible but they take up space and added to the bottom of the page. I won’t give them further support by listing these sites here. Let’s just say that I recognized many as the same sort of sites that plop unauthorized posts on our Facebook pages.
The fix for this problem is relatively simple. All I needed to do was upload the latest copies of every page in my website.
While going through my files, I found one uploaded 11/3/2014 labeled ssfm.asp. Curious about it, I Googled “asp file” and then “ssfm asp file”. What I found was a little scary. It appears that this problem has occurred before.
I don’t want to get too technical. I am not an expert on anything except my own website. One of the reasons for creating Nove-Noga from the ground up was so that I would be able to spot and repair problems just like this. Today all of that hard work paid off.
According to the article above, ASP is the file extension for the “Active Server Page” file format. It is used by an HTML file containing a Microsoft server-processed script. To the best of my knowledge, I don’t have any reason to use any such scripts on the Nove-Noga site. Per the article above, “ASP is a feature of the Microsoft Internet Information Server (IIS)”
The information provided gave me a little bit of a guide to what I was looking at. To learn more, I Googled “ssfm asp file”. I found an article from 2006.
The article indicates that GoDaddy experienced a problem in 2005 and 2006. Guess who my service provider is. The details are different. Instead of the ASP file being placed in a subdirectory, it was placed in the website root directory. My subdirectory pages were not affected. Given the two activity dates, I don’t know if my pages were subjected to one hack or two. I communicated with GoDaddy as soon as their chat desk opened up to make them aware of the problem.
Their first advice was a prompt change of my ftp password. To set up your FileZilla FTP Quickconnect you will need to know the following.
Host = sitename.com
Username = FTP Users
Port = 21 (Default for FTP is 21.)
To change an existing Quickconnect in your FileZilla FTP simply enter the information in the fields. Then Click [Quickconnect].
So what does this all mean? While it is possible that someone got my password and made changes to my files, I have some good reasons to doubt it. I am concerned that this is the tip of an iceberg. The additions to my web pages were essentially just a bunch of links designed to increase backlinks to their sites. *Note: These are all gone now. Nove-Noga is Safe.*
The ssfm asp file is of more concern. I removed and quarantined it so that it can do me no harm but there is no way that I am going to inspect it. I don’t know whether it caused my subsequent problem or if it represents the first attack. There is one thing that I know. I will be keeping an even closer eye on my site in the future. Have you checked your website today? Vigilance is its own reward. Nove-Noga!