Today I received an alert that one of our websites was reported by Google as being the victim of hacking and was being flagged as possibly dangerous in their search results. This immediately caught me off guard because our server admin, Matt Critcher, is one of the best in the business and nothing gets past this guy. We have several years of research and development and no telling how much cash invested in the security of our hosting environment. Granted, securing a server is something you have to work at just about everyday to eliminate new threats as they arise, and believe me, we take security very seriously.
Upon receiving this notification I immediately logged into the website that had been flagged and started looking for anything out of the ordinary. I was able to immediately eliminate most of the usual list of characters you see w/ open-source software attacks such as defaced pages or redirection scripting. I kept digging around and finally got on Skype w/ Matt to see if he had seen anything out of the ordinary from his end. We did some investigating and discovered that the hack itself wasn’t something that we could actually see on the website itself, but instead, it showed up in the Google search results for that website. In all of my years developing websites I can honestly say that I have never seen a hack quite like this before.
I did a little research and quickly stumbled upon this article on pearsonified.com discussing the “pharma hack” on websites running WordPress, they too had in fact fallen victim to this exploit and offered up some great information on how to diagnose the hack and furthermore how to eliminate it from your WordPress installations (which is somewhat tedious to do). I also ran across an awesome tool for scanning your website by Securi that is hosted online at this location. A few hours later Matt had already rid our servers of this exploit but not before we had discovered it in a few other locations, including this website. See screengrab of Google results at the bottom of this post.
Keep in mind that we keep a very close eye on all of our software installations and perform frequent updates to insure we have the latest versions of every application running. Somehow this sneaky hack found it’s way into our ecosystem, and quite honestly that’s an accomplishment on whoever launched this exploits part. I spoke to a friend this afternoon who also has a web hosting company and he had just learned that several of his clients were reporting inaccurate Google search results for their websites as well.
The questions I have at this point pertain to how in the world something like this could happen. I hope to learn more over the course of the next few days and will report back anything I should run across. In the meantime, it might not be a bad idea if you run WordPress to do a quite Google search for your website by entering in [site:www.yourdomain.com] to see if you have any weird page titles or meta information showing up, or give the Securi scanner a try to see if it can locate any problems you might not be aware of. Just glancing at a website page titles by browsing the site won’t work, everything looks normal.