All of my blogs and websites were infected by a trojan virus this weekend. HostGator, the hosting company of the websites, were unbelievably supportive and although I contacted them on Sunday, they responded within an hour letting me know that they had completed the scanning process! It turns out that the same virus has infected all of the Joomla and WordPress installations, mainly because I hadn’t been keeping the software updated. Lesson learnt and obviously my deploy-and-forget method needs revising! How did the hackers get access to the server? According to HostGator – and I quote here – this was done via a set of stolen passwords.
I posted on Friday how to determine your blogging performance. Inside that post I showed my future plan regarding my blogging activity and what kind of profit I am expecting by publishing 3 articles per day. It’s been a week that I resumed blogging and I was really excited to feel creative once again! Hackers made sure to place a stepping stone in front of that path!
I had already noticed that some of my friends’ blogs that I host in my shared hosting account along with some of mine had been performing rather poorly. Google Webmaster Tool pointed that out and I decided to dig into the code on Saturday. Things were just fine until late at night when I began messing with the WordPress installations. I had spent most of the day reading about domain security and how to protect your WordPress blog. I had also updated my old Joomla websites to 1.5.25 version, although the most recent on is… 2.5! It’s quite a hassle to update your Joomla blog from 1.5 to 2.5 and I considered that work in progress. I began setting up automatic backups and security plugins for WordPress when I found out that a crucial file in one of my blogs had some worrying issues. That file was of course “.htaccess”.
If you have your own personal blog or some kind of a website and you use Linux, you already know how important that file is. For the rest of the readers I just need to tell you that this file is responsible for URL creation and redirections. So, if that htaccess file gets hacked, your website is in trouble link-wise. Fortunately no visitor coming to my blogs probably noticed anything but there was evidence that hyperlinks pointing to Russian websites were being injected into my blogs. I began studying and learnt about the very popular WordPress timthumb hack which seemed to have caused the issue. I dealt with it but Bulletproof Security plugin for WordPress had trouble keeping the .htaccess locked! Whenever I recreated it and made that secure, it got infected with the Russian code in a matter of seconds. I went to sleep at around 1am and figured it would be a problem I will deal with in the morning, after all the blogs are functioning properly. Oh my, how wrong I have been!
Waking up on Sunday morning the first thing I did was to check my blogs’ traffic. Traffic was decreased by 70% on all of my websites! Ok, that doesn’t sound good, right? Wait, there’s more. Upon checking the referrals of the visitors – meaning the source that drove readers to my blogs – there was a major source missing. That was Google search engine! My blogs had been receiving absolutely NO TRAFFIC from Google since Saturday night! And if that wasn’t enough, upon clicking on a link in Google, Facebook or elsewhere, the visitors would end up in the Russian websites which of course would try to infect their own machines! Hopefully you all have installed Antivirus software in your personal computer! Anyhow, visitors would find my blogs only by entering the domain name in their browsers, no incoming links for me!
After excessive research, I had to find some “php” files created by the hackers, which went on and kept the htaccess file from being corrected. Whatever I did on the htaccess files, those php files would make sure the hack would reapplied. The situation got even worse when I discovered that my Joomla websites were infected as well! In the end, all of the websites I hosted were infected (check out yours) and I was unable to clear the virus. I needed help and I contacted HostGator support.
John T. from HostGator support got back with some worrying but at the same time thrilling news. He had found 10 or so php files which contained the virus and had them deleted! He had also found injections in more than 15 .htaccess files, that I was unaware of, since I was mainly dealing with the htaccess files found in the blogs’ root folder. According to HostGator support the attacker was able to gain direct access first to my Joomla admin page and then to my WordPress admin page by stealing passwords! His conclusion of the email was that I needed to attend the outdated Joomla and WordPress installations in order for the websites to return back to normal. Finally he included all the logs in the email and had changed my passwords for better security.
At one point during Sunday I began thinking of giving up all of the blogs, deleting all facebook and twitter accounts and terminating my blogging career. I call that Blogging Tilt, sort of poker tilt! It’s frustrating enough to keep your blogs running perfectly and writing new interesting posts with SEO practices is already time-consuming. Having to deal with virus infected websites is simply the coup de grace. Fortunately HostGator provided excellent and outstanding support! Even when I noticed that one of my newly deployed blog was also infected, they created a new htaccess file by themselves that fixed the problem! Right now I’m extremely satisfied of my decision to host my blogs with HostGator!