We’ve written in the past about various hacking incidents:
Dozens of sites affected by linking hack, reports Vertical Leap
Hackers Don’t Deface Sites Any Longer
From our experience, this trend of sites getting hacked for the benefit of search engine optimisation is on the rise. With this in mind, I wanted to explain what typically occurs and offer some advice and tips so that you can potentially minimise it from happening to you.
The Hack – What Happens
These "SEO-Hackers" are using automated systems ("bots") to search for websites that have FTP access with weak security. They try to access the site by using a number of standard user names (e.g. user, Administrator, or your domain name) and then try to use brute force to crack the password. They also seem to target web sites with high rankings and a decent PageRank and then use more manual hacking techniques (packet sniffing, etc) to get the username and/or password.
Until I started looking into different log files, I didn’t really appreciate the frequency that this occurs. Our own site gets dozens of these sorts of attempts every day. For example, last night alone the following user names were attempted:
Administrator
Guest
User
Anonymous
Alain
Elisabeth
Natalie
plus many more
None of these are names of valid users nor employees and so these systems are just using a list of names in a database to see if anything "sticks".
Once access has been obtained, the bot typically logs on and tests access by trying to create a directory with an obscure name. It then removes this directory and logs off. The site is now added to a list to be hacked.
Some time later (a few hours) another bot logs into your system. This time it downloads every index.htm, default.asp, etc page on your site (from every directory on your site), makes a change to each page that adds a link to a dubious website (usually some Russian movie download site), and then uploads the files back to your site .. and in every directory on your site. You have now been hacked.
The "back door". In addition to the existing pages on your site that have now been hacked, these bots usually upload a small php file to each directory as well. This file will display what may look like a standard 404 page if accessed with a browser, but a quick look at the source code makes it clear that they are far more sinister. This file opens a backdoor to your site – allowing a user to upload and download files. These scripts seem to be uploaded so that when you clean up the hack and potentially disable the FTP user, they can still make changes.
The bot comes back frequently to test access and ensure that the changes are still there. If the files have been cleaned up and the bot has access – they will make the modifications again.
Each visit comes from a different computer with a different IP address. These IP addresses are located all over the world – Latvia, USA, Canada, Germany, Luxembourg, India, Thailand. During my analysis, there didn’t seem to be any one geographical region that dominated the attempts.
Prevention and Cure
- The most important thing that you need to do – immediately – is ensure that any FTP access to your website is restricted by IP address. This means that you only allow access for your users from a specific site or sites – your office, your web developer’s office, etc. There are ways to get around this, but it instantly makes the process much more difficult and many of the automated hackers will simply move on to another victim.
- When you remove the modified code from your web pages – ensure that you check every subdirectory on your site and not just your root directory.
- Sort the files in your directories by date and look for a php file (or other scripting file) that was modified at the same time as the web page. This is the back door script and you need to delete it. This file will also be in everysubdirectory so make sure you delete it from everywhere.
- Check your site regularly and review the external links. We offer a free tool to do this, but there are many around that can help also. If you see links that you did not add, then review your website immediately, you may have been hacked.
You are not in control of who links to your site; the search engines understand this and therefore do not penalise you if you get some dubious inbound links. But they assume that you are in control of your own website and who you link out to. This means that if you are linking to sites that may be considered to be in a "bad neighbourhood", then your site can be held responsible and your search engine rankings may suffer.
I hope that understanding just one of the ways that sites are getting hacked will hopefully help you to understand this problem better and assist you in preventing it as much as posisble.
Related posts:
