I maintain my small running club website in New Jersey. I updated it earlier this evening, then I decided to check the website statistics. I do that every month or two, just to see how things are going. We usually get just over 1000 unique visitors, so it is not a hugely active site.
In July, there were an unusually high number of hits from Serbia. About 1400 versus 28,000 from the US. But that was enough to stand out as unusual. There weren’t any unusual links into our site that month, though.
In August, the hits from Serbia decreased a little (1100), but the hits from Canada went way up (3500). But the most troubling for me is that our site was linked to external sites in Russia. Not a lot of links from any site, only 10 to 15, but from about two dozen sites. I looked at a couple of them cautiously, and it seemed to be a gambling link and either a porn or escort link (my Russian isn’t that good).
I just changed the password to our site, so hopefully that will nip this in the bud. I will ask the other guy who helps with the site (who is way more knowledgeable than I am) about this. I checked any file changes on the entire site, and nothing looks unusual. On a previous ISP, our site was hacked, but I was able to stamp that out. I think that was a case of not changing the assigned password from the ISP, and outside forces figured out the algorithm for default passwords. My personal computer was infected with a nasty virus in May that resulted in my main hard drive being wiped and the operating system being reinstalled. There is a chance that whoever put the virus in could have gotten the entry info to our site.
So my question is, what should I look for and what remediation should I do? I’m about to go to sleep, so I won’t be looking at this for a while. Any help or guidance appreciated.
When you say it was linked, do you mean there were lots of comments posted on your site with links in them? If so, what’s happening is that they are farming links on your site to boost their searchbengine ranking
There are no comments on my site. The Russian sites have linked to my site, though I can’t figure out which page exactly. All of the pages on my site look to be what I created, so there doesn’t seem to be a page hacked to be a phony drug sales site or anything.
Criminals are good at concealing their intrusions so that they at least pass an eyeball check. Did you run recursive checksums before and after deployment to pinpoint whether any files have changed? If you’re not doing this, you don’t really know if anything changed. Did you deploy your code from a source control system? If not, you don’t know the nature of the change. Did you do a backup before deploying? If not, you have no way to start clean.
There are a variety of website scanning tools… I think Google offers something… you may want to check into it.
mcgato, it’s likely what you’re seeing is traffic from autoblogs or content farms - fake web sites that steal content and link to many sites in order to attract traffic. But that’s a guess. If you can PM me some recent links and IP addresses I may be able to tell you more.
Thanks for replies, and I have no idea what Cosmic Relief is talking about. I’m guessing that it is no issue. My website is a four letter combination with a .net suffix. It looks like there is a Russian site with the same four letter combination with a .ru suffix. My guess is that other Russian websites are just getting sloppy trying to link to the .ru suffix site. I shall remain vigilant, though.
I’m still going to keep a close eye on those Serbians.
I’d recommend doing a scan of some sort like Cosmic Relief is talking about. Once upon a time, a blog that I hosted had a security hole that allowed someone to insert some lines of code. The lines were invisible on the page - you had to dig into the code to find them. I don’t even know what the code did, but I became aware of the problem only when visitors started being warned that my site might be a potential source of malware.
In my case, I updated the blog’s underlying PHP and then used a Perl script to automatically remove the code fragments that had been inserted into static pages.
My site is not a blog, it is a bunch of stand alone html files. There is a css file to keep things tidy, but that is it. No fancy scripts, no advertising, nothing but simple html commands, text, and photos. Anyone could view the entire source code for it. I’ll keep an eye on things and talk more with the guy who designed it and actually understands these things much better than I do. I’ll send him a link to this thread. I only update the text content, upload photos, and the such.
Well, you think that, until some Russian dude slips in a few lines of very compact javascript that do nasty stuff to your visitors. That is my main takeaway here, that it can be a small, subtle change hiding in what looks like legitimate code.
My other suggestions were things you do before your code is uploaded… sort of the equivalent of taking a fingerprint of everything so you can compare it later. A competent webmaster would have been prepared. At even the suggestion that the site might be infected, he’d just shrug and click a button and reinstall the whole thing from clean source.