I got hacked! And disappeared.
Eventful week for the website here. First my ISP shut down all the server ports, then I find out the site has been hacked.
On Sunday night, the internet connection at my apartment died. I
rebooted the modem and everything, but it wouldn’t come up. It was late
so I just went to bed and figured I’d check it the next morning. Seemed
to be working the next morning, if a bit slow, so I went off to work.
Then I tried to check my email by using remote desktop back to home. Didn’t work. Tried jonnythan.com, didn’t work. Figured the connection was down again and waited for Emily to get home. She got online just fine. Turned out that TW started blocking incoming packets on all common ports, leaving me to start looking for other hosts.
I found EvilHosting, a free host with no ads for non-profit web pages. Looked good, signed up. By the time they got back to me something else had happened – all the ports were opened again, so everything worked as usual. I do recommend EvilHosting, though.
I suppose TW may have had some network issues and temporarily closed everything. Or maybe they were testing some new software they may (hopefully not) implement in the future. Either way, while testing the other sites I host, I got the dreaded Firefox GET ME OUT OF HERE image, warning me that the site was hosting malware.
Surely this is wrong, so I immediately fired off an email explaining that there’s some mistake. Then I started looking at the html files referenced in the warning. There were mysterious iframe scripts that were opening Chinese domain names. What the hell?
Checked the server logs and noticed that someone in the Netherlands was logging in as the user who runs the pages and uploading a few HTML files every week or so. These HTML files included scripts that install malware on unpatched Windows systems running old versions of IE. Not particularly effective, but they were still there and I was still blacklisted.
The most interesting part is that there were no failed logins from this user. Just some FTP transactions. So someone in the Netherlands found out this user’s password and proceeded to mess with the site. Thankfully the user account is a limited account and wasn’t able to do anything else on the system. Not that they even tried.
Changed passwords, informed user, Google dropped the warning, all is well.