Hacked off

This is not much to do with radio. But I know that many of you have your own websites and will probably find this of interest.

A couple of days ago I discovered that one of my websites had been hacked. Not G4ILO’s Shack, but the other one which still continues to earn us a little bit despite receiving only the barest maintenence in the last two years.

I opened one of the pages and instead of the expected content a server error message appeared. My first thought was that the hosting company had changed some setting so I fired off an urgent support ticket. They responded saying that some of my files had been “compromised”. Sure enough when I looked at one of the files there was some code I didn’t recognize. This code referred to a file that had been added which was zero length, and that was causing a 500 server error. I deleted the file and every access now caused a 404 “file not found” error. Eventually I found that the .htaccess file had been hacked and some code added which was being executed for every single file access.

The timestamp showed that the .htaccess had been modified a week ago on 19th March. Because of the web browser caching we had not noticed the error messages any earlier. Google had visited the site in that time however, and had received a server error for every page it tried to access. So now the site had dropped out of Google. Thanks a lot, hackers.

Further investigation revealed that the hackers had modified almost every .php file on the server. They had inserted some code at the beginning of every file, apparently meant to disable error reporting. They had inserted some other code into one .php file that was included in every page. However, something in what they had done had the effect of disabling PHP processing with the result that the PHP code was sent to the browser instead of being executed.

To cut a long story short, after trying to repair the hacked files individually, I decided to restore the site from the oldest backup the hosting company held. I had a little bit of luck: the oldest backup was taken on 19th March, the day of the attack, but it had run before the attack occurred so I was able to restore the site with every file as it was originally. A day later and that backup would have gone and I would have been unable to restore the site without a lot of manual work. But the damage had been done as far as Google was concerned.

If you are expecting a lesson to be learned as a result of this story, I don’t have one, other than if you want a quiet life stick to blogging, don’t try to run your own website. If you do, visit your site every day and check for changes.

I have no idea how the hacker managed to gain access to the files on my shared web server. If they did it once they could do it again. I don’t believe that my passwords were compromised as they are randomly-generated, but I changed them anyway. Altogether this episode lasted for several stressful hours – time that I would much rather have spent trying out the latest WSJT-X program.

Julian Moss, G4ILO, is a regular contributor to AmateurRadio.com and writes from Cumbria, England. Contact him at [email protected].

3 Responses to “Hacked off”

  • Brad K5ILW:

    There are web sites will monitor for changes
    on the other web sites. The names does not immediate come to mind but I was using one to monitor some electronic kits they were constantly backorder. That might pick up alunch hacker who has changed your website

  • Theo VE7FHD:

    Many times I played with the idea to build my web site,spend tons of money on books,studied and collected info from friends very familiar with this business and can only say one thing ” Is the internet a blessing or curse ” I guess both. I drifted away from Ham Radio some years ago to spend time in my new found hobby called the Computer,any one remember the Commodore?
    Well Ham Radio is beginning to look good again. Time to get out that paddle for morse code which I miss so much.So long Hackers,try to find me in Morse Code land.
    Theo

  • W8MRL:

    Have you determined which hack they used to get into your files? You need to close that exploit or they will do it again.

    I see your site runs Javascript. Did they get in that way?

Leave a Comment

Subscribe FREE to AmateurRadio.com's
Amateur Radio Newsletter
News, Opinion, Giveaways & More!

E-mail 
Join over 7,000 subscribers!
We never share your e-mail address.



Also available via RSS feed, Twitter, and Facebook.


Subscribe FREE to AmateurRadio.com's
Amateur Radio Newsletter

 
We never share your e-mail address.


Do you like to write?
Interesting project to share?
Helpful tips and ideas for other hams?

Submit an article and we will review it for publication on AmateurRadio.com!

Have a ham radio product or service?
Consider advertising on our site.

Are you a reporter covering ham radio?
Find ham radio experts for your story.

How to Set Up a Ham Radio Blog
Get started in less than 15 minutes!


  • Matt W1MST, Managing Editor




Sign up for our free
Amateur Radio Newsletter

Enter your e-mail address: