Hacked: A Descent into the Malware Inferno

Summary: I was hacked last Saturday night. My nine sites went down. Three days later, everything’s back in order but it was no fun. I hope it never happens to you, but just in case, I’ll document the blow-by-blow below. In the end, an online service called Sucuri put things back in order.

First thing Sunday morning, I dropped in at the Internet Time Alliance water cooler on Skype. Jane had posted a warning that my sites had been hacked in the night.

When I tried to log on to my blog, I was confronted with this warning notice:

Google issues alerts like this to warn visitors of malicious sites. I began to get nervous.

I called BlueHost, my ISP. They had backed up my sites around midnight. I asked them to restore everything from the backup. Alas, the hackers had broken in earlier, so the back-up was ridden with malware, too.

BlueHost has been a great ISP. They offer all kinds of services and nearly unlimited storage for $10/month. They answer the phone! They are generally very helpful. When I called them back, however, all they could offer were a few pages of general anti-malware advice and the suggestion that I look through my directories for suspicious files. Hmmm. I’ve been online for years. I maintain more than a dozen sites. I have about 28 gigabytes of material in some 90,000 files. Too much to eyeball.

My associate Paul Simbeck-Hampson got on the case, feeding me information on malware he found on the net. I was frantically scanning files on jaycross.com and internettime.com, the sites that seems to be generating the error messages. Needles in haystacks. This was going nowhere.

Paul pointed me to Sucuri. They have a free malware scanning tool at Sucuri.net. The tool confirmed that internettime.com had been compromised.
Oh, great. I visited Google off and on again. Google’s webmaster tools help you see what’s going on.
Drilling down on my nine active sites was demoralizing.
Around 1:15 pm, Paul suggested I call in the pros. I nosed around Sucuri’s site while Paul checked them out on the web.

I didn’t know what else to do at this point. Sucuri offers a fix-it package for $89 for one site. I had nine sites I wanted to keep. Hence, I signed up for their $290 business deal. I’m glad I did.

Around 3:00 pm, I submitted a Malware Removal support ticket at Sucuri. They emailed me that I need to complete one ticket per site. Half an hour later, they notified me that I had given them a bad FTP password. I didn’t see the notice until 24 hours later. Half an hour after that, Sucuri was cleaning malware out of the sites and locating obsolete installations of WordPress on my site.

The next day, Sucuri started emailing that this site or that one was free of malware. However, a few of the sites gave me 500 Server Errors or would not let me log in. Sucuri went back to work, looking at file permissions and so on.

The Google alert notices were still up. In fact they were proliferating. Sites that linked to internettime.com were receiving warnings. My Gmail stopped functioning because it was connected to internettime.com. My wiki was quarantined. I pinged Google to re-check the health of my sites. Then I discovered that it generally takes 10 hours after a site is pristine for Google to take down the warning.

Supposedly, everything is back in working order now. I’ve followed Sucuri’s advice for preventing this in the future.

I’ve spent the better part of three days clearing obsolete material from my sites and looking for prank code. Miraculously, I found a rogue script that had been injected into a .php file and quashed it. Most of the time I felt like I was playing a game in which I only knew half the rules. I was nervous that I’d lose huge swaths of material that I should have backed up — but hadn’t. These three days have been among the least productive of my life. Malshare got all my mindshare.

How did the bad guys get in? I’ll never know. It could have been one of the obsolete versions of WordPress I’d forgotten about. Or a rogue script we’d brought in to handle contact requests. Or a file with the wrong permissions. Heaven only knows.

One site remains off the air. When I try to update a couple of others, I receive Server errors. These are minor annoyances compared to what’s been happening.

I am so glad this nightmare is over.

I’ll be keeping my WordPress installs and extensions up to date from now on.

I recommend Sucuri for dealing with malware. All our correspondence has been through trouble tickets and email but they have been quite responsive.


Leave a Reply