Speyside Developments / Technical / Anti- Hacking Advice

Some of you might've been puzzled to see that Speysides normal site had been replaced by a blog that looked pretty much like this - This is what a site looks like if it has been turned into a zombie by a redirect trojan
If anyone had clicked any of the links they would find that the links may have connected to some irrelevant or unsavoury material. We can only apologise for this. It happened because of an ingenious "hacking attack" that had hijacked our site.

There is good information about how this attack is done, and how to prevent it here -

http://www.whyron.com/http.htm

This problem is known to kaspersky as a trojan -

http://www.viruslist.com/en/viruses/encyclopedia?virusid=294223

To find the code that was injected into the Speyside site I downloaded my entire site to my PC so that I could search within the files more easily.

I did a search on all directories for the file "check.js" and found it hidden deep in subfolders on my site.

Then I did a search for the string "md5" and found it in a php file that had been added to my site. I found two .htaccess files in directories within the site (NB - the ftp utility I used requires you to show hidden files otherwise these would not be downloaded).

Without even waiting to clean any of this up I uploaded a .haccess file to stop any external redirects -

At the risk of giving more clues to future hackers the .htaccess file I uploaded is similar to this -

RewriteEngine on
RewriteCond %{QUERY_STRING} http[:%] [NC]
RewriteRule .* /------------http----------- [F,NC]
RewriteRule http: /---------http----------- [F,NC]
ErrorDocument 404 /404.php

This should prevent php injection attacks, and also report "404 page not found".

You may need to loosen this .htaccess file up a little -

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?your site name\.com [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} ^http://.*$
RewriteCond %{QUERY_STRING} http[:%] [NC]
RewriteRule .* /------------http----------- [F,NC]
RewriteRule http: /---------http----------- [F,NC]
ErrorDocument 404 /404.php


For an explanation of this .htaccess file have a look here - http://www.yourhtmlsource.com/sitemanagement/bandwidththeft.html
You can see that this type of attack is quite common because google has indexed some of the results from the re-directed (or zombie) site (its easy to see this by searching for "Particulary I like the first site". You can then see that sites which should belong to proper companies have been replaced by what looks like a blog but is actually serving rotator ads from another server.


Aldershot Homes | Bagshot Homes | Woking Homes | Camberley Homes | Guildford Homes
Keep in touch while on the move with the Mobile Phone version of our site

ICRA registeredValid HTML 4.01 Transitional






Bookmark with: Delicious | Digg | reddit | Facebook | Stumbleupon |