AndyHagans.com Hacked! Can You Help Me Out?

As I posted earlier I’m out of the client game, but I got bored this morning and checked the rankings of the old client services site (old habits die hard). I usually own the top spot for [link building] and what can I say it’s a matter of pride. ;-) Well today I was a bit perplexed that not only was AndyHagans.com not ranking #1 for [link building], it was nowhere to be found! However, the site wasn’t banned–an internal page was still ranking in the top 100 for [link building]. I figured that maybe I hit some sort of filter. I wasn’t going to lose any sleep over its rankings considering the site isn’t monetized at all.

Then later today I got an email from a friendly contact letting me know I had about a thousand animal sex-related links which were hidden below the footer on the AndyHagans.com homepage. (Apparently, this contact sometimes refers to my site–which I coded myself–when showing people the benefits of clean code & the efficient use of CSS. Take that, Pearson!)

Anyway, I wonder how someone was able to hack my site and inject these links. Some sort of “exploit”? (I don’t even really know what that means.) Maybe I shouldn’t have used [password] as my password. (Just kidding.) I’ll fix it later in the week, meanwhile I am trying to figure out if any black hat SEO has a grudge against me, but honestly I’m not sure I even know any black hat dudes! Could be just a coincidence, but my instict says it isn’t.

Thibault tells me it looks like the links pointed elsewhere earlier this week, but they were updated to animal sex-related topics recently (judging from the cache). Anyone have a theory how this hack could have happened? I don’t want to fix it only to have it hacked again the next day… any help is very appreciated and will be rewarded in link equity. ;-)

Check it out: AndyHagans.com (view the source code to see the animal sex links)

Update: in case it helps, some more details on the site–it’s hosted on Dreamhost (normal shared plan), and runs on PHP (custom files, no CMS, I mainly use PHP just to include files like the header and footer).

Update2: OK so this affected another site I host on the same account. Shoemoney pointed out it only is happening on the index.* files. So either someone broke into my ftp with a script, or somehow they did it to all the files named index.* hosted on this Dreamhost box?

Update3: Frederick Townes tells me:

about the injection issue (I wrote an article about this long ago) about XSS and injections etc.

My best guess is your host has a very old copy of apache:

Apache/1.3.37 (Unix) mod_throttle/3.1.2 DAV/1.0.3 mod_fastcgi/2.4.2 mod_gzip/1.3.26.1a PHP/4.4.4 mod_ssl/2.8.22 OpenSSL/0.9.7e

That, combined with those other modules, which are also very old means that there are tons of opportunities for someone to exploit your site - it’s a matter of time and checking the changelog for those different software packages.

There also could be other holes (potentially) in you’re your web site as you seem to use PHP, for server side includes no doubt, unnecessarily. Swithing to flat HTML with Server Side Includes is a good move if you don’t want to change hosts.

You can always parse PHP files in your server side includes if you need some advanced scripting.

Ugh. Sounds about right, but still not sure what exactly to do to remove the current links and script?

Update4: Thibault is telling me he doesn’t think its the XSS thing, but instead either weak code, or they just cracked my password.

Update5: Thibault and Bapin SSH’d in and found the problem. Looks like someone just cracked the FTP password and put a file in every domain’s directory which then injected the links. Bapin is helping me fix it and meanwhile it’s a spring cleaning, we’re deleting a bunch of old junk like Movable Type test installations, etc. This was a great way to spend my afternoon!

Update6: OK Bapin fixed everything. Fingers crossed it doesn’t happen again, all the passwords are changed and we deleted some files which may have been vulnerable…Â

Did you enjoy this article?

Don't forget to subscribe to the Tropical SEO feed!

20 comments ↓

#1 JoshRice on 05.30.07 at 1:11 pm

I wanted to tell you what was up with Hagan’s page, but I after seeing that I had to register I said screw it…

but then I noticed on this very post. Looks like you’ve been hacked, there’s hidden links on this blog too

-josh

#2 JoshRice on 05.30.07 at 1:13 pm

My dreamhost account is fine and so are my wordpress blogs, so did someone figure out your password?

#3 admin on 05.30.07 at 1:15 pm

Oh man, looks like they got Tropical SEO too… either it’s only on this box, or it’s only on my account. Bummer. I can change my password, but I wonder how I can delete all this stuff? It’s probably a file or script generating/inserting the links, right?

#4 JoshRice on 05.30.07 at 1:19 pm

I would check in Admin > Presentation > Theme Editor and look through those files first.

If you don’t see it there, I would just download everything and do a search through the file contents (TextPad works nicely for this) and see if you can find out what file is being included.

#5 admin on 05.30.07 at 1:26 pm

Yeah it shows up in the MainIndexPage in the Wordpress CMS for Tropical SEO, but they still could have injected it there without “going through” Wordpress, right?

(It was injected into the index.* on ALL domains on this account, not just the one that uses Wordpress.)

#6 JoshRice on 05.30.07 at 1:30 pm

It doesn’t mean they did it through WordPress - if they had ftp access they could change it there…but it could be WordPress. I betting they got into your ftp if it is across all your domains on that account.

#7 JohnMu on 05.30.07 at 1:33 pm

I’ve seen this kind of hack a bunch of times. They hack the default page on the server and often hide a truckload of auto-generated, cloaking affiliate pages somewhere else on the same site (usually with a script).

They cross link all the affiliate pages, eg linking from your default page to the affiliate pages on some other site, and linking from yet another site to the affiliate pages on your site. If you check your Google Webmaster Central account (you do have it verified, right? ;-)) you might be able to spot the new content that your site has grown along with some of the links pointing to it.

From what I’ve seen, this is often a server-side hack - either through the Frontpage extensions (if you have them) or some other common hosting component. Sometimes a bunch of sites on the same server will be affected.

If you leave it the way it is, chances are the links will get updated. I have seen sites hacked in this way with their links updated every other day. I don’t know if it’s done automatically or manually. It’s pretty slick - if they check which generated pages are still up, they can update the links to point to those pages instead of pages that now 404.

I’ve contacted countless site-owners about this kind of hack. Most people don’t react at all (assuming you can even get an email address that doesn’t bounce) - I bet they assume it’s just another one of those SEO spammers. Sometimes the hosting company itself will clean it up: I assume they do this if they realize that it is a server-side hack, but it might just be customer service. I’ve seen it on everything from nooby-sites, small companies, medium companies and even government sites. I have some sites on my list that I’ve been trying to notify about the hack since January… and believe it or not, they’re back in the index again, with hidden links…

Sigh.

At least you noticed :-)

#8 JohnMu on 05.30.07 at 1:34 pm

PS kind of ironic that the page heading is “Need help with your link building?” :D

#9 speedypin on 05.30.07 at 1:54 pm

Andy, here’s a post I read at Dave Naylor’s site. Perhaps this is how somebody hacked you?

http://www.davidnaylor.co.uk/archives/2007/04/27/would-anyone-like-some-free-backlinks/

#10 admin on 05.30.07 at 1:58 pm

> PS kind of ironic that the page heading is “Need help with your link building?”

God hath a sense of humor.

#11 admin on 05.30.07 at 2:52 pm

You know what the worst part about this is, I’m going to start getting search referrals for “animal sex”, I guarantee it.

#12 dazzlindonna on 05.30.07 at 9:45 pm

I once had that happen to me. It had something to do with an old version of PHP. The entire shared server was affected, with all sites being hacked (just the index pages of every folder). I’d definitely alert your host. Hope you had backups of your index pages. That will make things much easier. Just makes you spitting mad, though, doesn’t it? Such a violation. I’m mad for you! :) Good luck.

#13 admin on 05.30.07 at 10:06 pm

dazzlindonna,

thanks for being mad for me! :-)

I told the web host but something tells me they won’t bother looking into it ;-)

#14 Stoney deGeyter on 05.31.07 at 7:21 am

Hey Andy,

Not that this type of thing happens often but it can be good to know as soon as it does. We’ve developed a cool page change notification tool that notifies you anytime one of your (monitored) pages changes. We use it on all our client sites, including our own and others as well.

In your case, if you had this set up to be monitored you would have received an email the next morning after it was done, you would have quickly figured out what happened and gotten it fixed, probably before Google drop your rankings.

#15 jgoddard on 06.05.07 at 12:39 pm

Hey Andy,
Take a look at this url http://mezzoblue.com/archives/2007/06/05/unsettling/ Dave had the exact same problem, he’s hosted on Dreamhost and his index.* files had the links placed in them. He uses movable type, not wordpress so it can’t be a WP or MT exploit, must either be a PHP thing, or they cracked your password. But the fact that he is also on Dreamhost is kind of interesting/suspicious.

#16 admin on 06.05.07 at 12:43 pm

Yes I told them that, they acted like I was an idiot though. Not a huge fan of Dreamhost these days.

#17 Domainer's Gazette on 06.06.07 at 2:56 pm

feeling your pain there, my Dreamhost account got hacked yesterday, had to spend all morning removing spam links from all my sites. The spammer simply targeted my index pages. I posted Dreamhosts email to me here:

http://www.domainersgazette.com/dreamhost-hacked-my-sites-compromised/

you get this same letter Andy?

Been busy looking for a new host all day.. Host Gator may be where I wind up..

#18 admin on 06.06.07 at 3:29 pm

Yep I got the same letter. I replied: “I told you so.” They enjoyed that.

>Been busy looking for a new host all day..

I like MediaTemple right now.

Then again, I liked dreamhost 3 years ago, and ipowerweb 6 years ago. I think it’s some sort of law that web hosts suck. All of them.

#19 Domainer's Gazette on 07.05.07 at 3:54 pm

hey Andy,

just wondering…

did you ever change hosts?

I got too lazy.. but still looking..

#20 admin on 07.06.07 at 8:24 am

Nope…