The Nietz

A few months ago my brother-in-law wanted his own website. Being the resident techie, I set him up with his own domain, a WordPress blog, and picked out a nice template that looked a little non-WordPress-y.

Unfortunately, like most blogs, it sat untouched (something I’m guilty of too). Last week, he got an email from a friend who tried to go to his site. Instead of his site he was greeted with rather ominous looking red screen:

Not good.

I ftp’d to his site; there was a lot of activity. A bunch of new files had been uploaded in November, and a handful of others in January. Either the November hacker had been active, or (as I suspect), he’d actually been hacked twice.

The version of WordPress installed was older, 2.7.x; latest and greatest when installed, but never upgraded. Since 2.7, there were major holes discovered, and it’s not a stretch to assume that’s what they used (though I don’t feel too bad, Scoble’s blog was also hacked this way).

I archive the site, and will post a forensic review later, but mostly redirects to a Russian pharm site, changes to .htaccess to fake out the search engines (though he didn’t have mod_rewrite installed, so ineffective), in all pretty generic, so I suspect the site was hacked 100% via script– no user intervention whatsoever.

Since their weren’t any real updates on the site, I was comfortable starting over from scratch. I didn’t want to risk any backdoor and go through all of this again. I migrated to a different host (not that a different host would matter, the new host is just one I use regularly with my other clients, which makes it more likely I’d catch it when checking on another client). Reinstalled the latest version of WordPress, and started to rebuild his site.

Once completed, I went to look at the new, improved, malware-free version of the site. Lo and behold I was still greeted with the red screen of terror. No worries, I figured I’ll get the site fully tweaked and then deal with that issue.

There’s an option to ignore the warning (which, in any case except this I would not recommend,) so I clicked through to finish up my WordPress configs. No dice. the google intercept disabled all the css and JavaScript (which is a good thing). I tried it in Firefox, Chrome, Opera, and Safari (pretty sure there was ONE other browser which would have worked…) . So at this point I couldn’t actually log into the site.

This is where I got my introduction to Google’s Webmaster tools. With all my SEO work, Google SEO tools have always been sitting in the back on my to-do list; my work with clients focuses on honing filenames, leveraging social media, xml site map etc. By sticking to the fundamentals, my clients have been wildly successful, so the webmaster tools have been on the back burner.

In order to unblock a site you need to (obviously) remove what’s offending and then, as the site owner, submit your site for review. Proving you’re the owner is pretty straightforward, and similar to Google’s verification for other products– you either add some META to your index page or (if you’re a WordPress owner who can’t log in to adjust the META…), you upload a unique page. Once you’ve verified the site’s yours, there’s a simple form to request a re-evaluation. After about an hour his site was back up and running, sans Russian pharm.

One takeaway for me is I was forced into the Google webmaster tools, and I must say I’m impressed and it’s begun me exploring it further. For my next post I’ll dive a bit deeper into the toolkit and show how you can increase your pagerank and improve the overall quality of your site.

Now this is all well and good, and I have to say I’m a fan of malware intercepts and the webmaster’s tool in general, but I believe I’ve discovered a fundamental flaw in the system… Bonus point if you can figure it out, otherwise wait for my next post.