Yipes, badwared...

A few weeks ago, my site got hacked. The attacker inserted an iframe pointing to a malware site into most of my html pages. That of course is bad, but the story doesn't end there. (I should of course have upgraded my OS from the ancient one my hosting company gave years ago, but they don't really support that, and feel an upgrade consists of rebuilding from scratch.)

I cleaned out the entire site and searched for any remnants of the bad link. Having done this I thought all was well. However, as it turns out while the ideas.4brad.com domain and other domains were clear, the 4brad.com domain, which I don't use for anything, still had a web server on it, pointing at a different directory far from where I keep my own web sites. (I try to never put my stuff in system directories.)

Unfortunately google, for unknown reasons, looked at 4brad.com, even though there are no links to it anywhere on the web. And found the placeholder page, with hacked link in it. From there it declared the entire site, including ideas.4brad.com, to be a malware site. I think that's a bug, since there were never any malware links on ideas.4brad.com pages -- this is a drupal site, and while the hacker's script attempts to modify PHP scripts, it did not do so correctly, and just broke them. Running linux, I didn't see the malware hacks on the other sites where they made the changes, but found them soon enough and removed them for now.

Alas, that means for some time people have been directed away from this blog by google. It shows up in search results, but you can't actually click on the results, and there are warnings that going to the site may harm your computer (you get these warnings even on non-windows computers, which is reasonable, I guess, if incorrect.) I've asked the site stopbadware.org, which Google teams with, to confirm the hacks are gone, and now I have to rush out to rebuild the site from a fresh install. Sigh.

Update: Google reacted to the cleanup of 4brad.com very quickly and no longer lists the domain as unsafe. I did file a review request with stopbadware.org -- perhaps they are much faster than they let on.

I'm shopping for hosting. I think I will upgrade to dedicated hosting, even though virtualized hosting has its merits. As I wrote before it would be great if MySQL could be virtualized independently of the OS. The ideal marriage would be a virtualized linux with access to sharable, non-virtualized services like web serving and database. The trick is memory. A typical virtual host will have 16 copies of MySQL and 16 copies of Apache and 16 copies of PHP or similar running on it. Because virtual machines don't truly understand how much memory they have, or see the paging of the underlying OS, they can't manage memory as well. But their ability to burst in unused capacity is a big win.

Comments

Brad,

I follow your blog and work at a security monitoring company. I would be happy to arrange for a free account for you -- we can certainly help you with better detection/prevention.

Add new comment