Google warned me: THIS SITE MAY BE HACKED. I disregarded the warning and clicked on the website. A voice infiltrated my computer’s speakers. The woman was breathless, her voice honeyed.
My instincts told me to run. Far and fast. These sorts of website visits rarely end well.
The voice went silent. I couldn’t help but look at the computer screen with an expression of sheer confusion. I could feel my lips curl into a menacing grin. Some might say I looked like the Cheshire cat.
In my mind, I was screaming, “How did I get here?”
Having clicked on a Google link looking for my new client’s website – from Michael Jordan shoes to Essays to… this???
Women in various stages of undress winked at me. Blinking lights tormented my eyes.
However, if I type the URL directly on the web browser, everything looked fine. I shook my head.
I made some familiar grunts, affirming what I had already suspected and what Google had the foresight to proclaim: This site had been hacked.
By now, the website had my full attention. I’m like a fancy janitor and my clientele happens to be websites – I clean up the messes other people leave behind. I opened another window on my screen and typed in the company’s actual URL rather than use Google. Voila! It looked legit.
So I headed over to Google again. A few keystrokes later, the business name popped up under Google Search Results.
I hover over the company name and clicked. Several seconds later, I was redirected. But it wasn’t to the correct website. Like Alice in Wonderland, I was quickly falling into a hole and I wasn’t sure where the end would be.
I calmly assessed the situation: No one can access the business site from Google. Nada, nothing.
Losing out on those clicks has the potential to really destroy a company’s bottom line. Instead of bringing me to the correct site, someone or something was redirecting Google traffic to this and other unscrupulous websites.
“Hmm,” the owner of the site says, clearly skeptical about what I’m telling her. “The site crashed a couple weeks ago, but this techie guy fixed it. He did say, it should be moved to a new host so that the problem would be permanently fixed.”
She went on to detail the conversation she’d had with a tech guy, some schmuck who advised her to simply up and move the website. No insights. No golden nuggets of wisdom. Just run from the problem and hand over some money for the advice, thank you very much.
When I logged into the WordPress site, I was astounded.
It was like a WW II re-enactment there.
The French, the Russians, the British and the Germans had all decided to invade. If I were a betting gal, I would have placed money on the fact that the owner of this site had no idea who was partying in her website’s backyard.
Upon logging into the website, there was evidence of hacking all over the place.
The Writing Service Hacker was so impudent that he even had his own sitemap on a Sub-folder on the website. He was submitting it to Google for indexing!
There were so many others that had left their mark that I suspected hackers share information among themselves. The Casino folks, the Jordan shoe sellers, etc. There was even evidence of hackers hacking already-hacked posts. Like they say, there is no honor among thieves.
How did they get in?
I believe they brute-forced the Login of the original web designer. Since it had administrator privileges, the hackers set up shop and created their own essay writing website. This website was un-monitored since 2013. It was built in 2013 and hacked soon after.
What got Hacked?
The intruders added their own categories, some of them in their own language. They got a “free” blog and proceeded to upload their own articles with impunity. The screen shots I showed above were just a fraction of what I had to clean up.
The Theme code had the footprint of several hackers. The redirect code was encrypted and hidden as <?php error_reporting in the footer. The first time I looked at it, it looked legit so I didn’t want to touch it. However it had something in Base64 so I decided to decrypt it using Base64decode.org. As soon as I saw the IP address on the URL then I knew the whole thing was hacker code.
Every single page on the website had spam that was cloaked. The Home Page, the About Page, The Contact Page, the Store Page. While editing the Page, switching to Text Mode showed the HTML markup for the spam content. The spam DIV was set to opacity of zero (invisible).
The insertion of spam was done through code. This meant that every post that got created would have the spam content.
The spam behind the articles was embedded within the post data itself. It was easy to see using the PHPMyAdmin utility that allows you to browse the database.
I kept wondering why the bot nets kept going after non-existent pages on the site until I examined 404.php (this is the code that tells you when a post or page is not found on the website). The normal 404 code was replaced with code that lets you upload files to the website. This code was missed by ALL the scanner plugins and tools I used to check the code.
There were PNG files that were not images but malware code saved as PNG files!!! These were found in the UPLOADS folder where image files normally go.
Painful Recovery is an article on what happens when there are no protection mechanisms put in place.
Recover from a Hack outlines the steps you can take to recover a hacked WordPress site.
3 Ways to Ensure a Quick Recovery are some preventative measures you can put in place now.