Has Your Website been Hacked or High-jacked?
Published on 11/18/2014
For additional information Click Here
Has Your Website been Hacked or High-jacked?
How would you know if your website has been hacked or highjacked? You might not know unless you were watching carefully. I know this because it happened to me recently.
On 11/11/14 I posted a Press Release regarding the discovery of intrusions to my website and the steps that I took to solve the problem. Have You Checked Your Website Today?
Unlike some of the more malicious hacks that we have heard about, these intrusions seem to be designed “only” to increase backlinks and redirect pages to specific sites. I think that is a big enough problem to be concerned about. We have taken the time to create our sites. Why should we let anyone pirate our traffic? On the other hand, what if this is only the beginning?
What is the Nature of the Problem?
The problems that I found came in two forms. I found two different ASP Files that I had not uploaded and have no purpose in my website, ssfm.asp and default.asp. I did not check ssfm asp to see what it did. Default asp was designed to mimic my Index page with the addition of a script element as the first line of code. The second form was changes to all of my HTML files except the Index.html (Home Page).
*Note: The change to my pages was the addition of a div statement to the body close tag in my original html file. There was no reference to the SCRIPT elements mentioned elsewhere.
How can you tell if your site has been hacked?
1) Has anything been uploaded since the last time that you uploaded files to your website. I use FileZilla for my uploads. The date and time on the files on the website is that of the upload. In FileZilla you have several sorting options Click [Last modified] to sort things by last modified date/time. It happened that the changes to my site were made during a period of inactivity. It was easy to see what had been changed and upload the original files.
2) Are there any files on your site that you did not place there? Mine is a simple html site. When I saw ssfm.asp in my File List I KNEW that something was wrong. A couple of days later, the file default.asp was uploaded. It was essentially my Index file with the addition of a SCRIPT element in the first line.
*Note: If you find one of these SCRIPT elements in the beginning of your file, check out https://who.is/ to see who the owner of the site is. All of the ones that I have found have pointed to one of two owners.*
3) Check your web pages as they appear online. Mine begin with the DOCTYPE HTML element indicating that they are created in HTML5. When I saw that the first line was a SCRIPT element, I KNEW that I had been hacked. Because I created my own site from the ground up, I have the files on my computer. If you have someone create and upload your site, consider making the effort to learn how to keep copies of your own files.
4) Be alert for 404 – File not found errors for your website. One of my daily tasks is to check Google Webmaster Tools for stats including any “Crawl Errors”. This was one of my first indicators of an existing problem. Once you have corrected the problem, 404 errors can alert you to others with problems. Consider reaching out to them to let them know about the problem. Feel free to reference this page in your messages. If we work together, maybe we can put an end to this problem.
5) Use your Browser to check for YourSite.com/ssfm.asp and YourSite.com/default.asp pages. If you don’t get a 404 File Not Found message, you know that you have found a suspect page. Most browsers allow you to View Page Source, usually by right clicking an inactive area of the page. This will allow you to review the code for any page.
6) Use a search engine to see what comes up for your site. I have found several search engine results that did not go where expected.
Know Your Site:
When I first started writing my website, I did it the hard way. I learned how to use HTML to create my own site because I wanted to be able to know what was going on with it. Subsequently, I have written every line of code on my site. Now all that hard work has paid off.
What to Do if You Have Been Hacked:
You may want to consult a Professional first. For the hacks that I found it was enough that I eliminated the unwanted files and uploaded clean copies of those that had been changed. If you have a complex site, you may be looking at a larger problem. This is especially true if you use ASP files on your site.
Keep a Record:
Before you make any changes, you might want to copy the changes you find and save them in a txt file on your own computer where they can do no harm. You may also want to consider reaching out to others that have been affected. I have been using WhoIs to Identify the owners of some of the affected sites.
The Steps I Took for my HTML5 Site:
1) Copied changed information to a TXT file so that I could use it to track down other victims and the culprits.
2) Deleted bad files in the Main Directory of my Site. These were ssfm.asp and default.asp.
3) Uploaded Clean Copies of my HTML5 pages.
4) Added a check of my site to my daily routine. I am looking for changes to my site since the last change that I made myself.
This May Only Be the Beginning:
In my research over the past few days, I am just beginning to get the Idea of the size of the problem that we are looking at. I don’t want to simply publish a list of hacked sites. In many cases there is no need to have someone’s site quarantined. All they need to do is clean up their site.
I believe that this is an ongoing process. These people may be targeting sites that are not being watched by their owners. If their first efforts are not rebuffed, they may take further, more harmful actions. Some pages “appear” unaffected even though I can see the SCRIPT element in their page source. Other pages redirect me to another page, usually the same one from the other redirects. In at least one of the pages that I have investigated, I believe that site has been completely taken over by another page.
Nove-Noga.com is Safe:
And I plan to keep it that way. It was easy for me to spot the changes because they were made during my recent period of inactivity. I have cleaned my pages and my site links now go where I want them. Reports from Google Webmaster Tools have showed me that I was not the only person affected.
Has Your Website been Hacked or Highjacked?
If you own a website, then you need to make sure that you Check It Today! Do you know someone who owns a website? Please pass this message on to them. I tried contacting my service provider about this situation. They don’t seem to be able to do anything about the problem. Apparently it is up to us. Because of that, I am asking Everyone to Please Share this message. If we all work together, maybe we can solve this problem. Nove-Noga!