Monday, August 8, 2016

I've Been Hacked!

Hacked! It’s not something that you want to happen, but it happened to me. It’s a little embarrassing, actually. I’m supposed to know about these things. I’m supposed to be able to prevent this. Yeah, and so is Microsoft. I’ll get over it. Once I get past the feeling of being violated, it’s actually pretty cool. I was able to look at the look at the code they inserted, and I want to talk about that, but first, I’m not exactly sure how they got a foothold. It’s possible that they managed to get my password or maybe the password of the hosting company. I’ve seen situations in which the hackers were able to add get requests to a URL that were then translated into links to other places. But in this case, the index file itself was modified and a large number of files were uploaded to the server. Needless to say, I’ve changed my password and deleted the files.

I discovered the problem while working on moving my website to a new server. I haven’t been happy with the previous hosting company recently, so I felt it was time to move on. But to be honest, I’ve let my website languish for a few years. I haven’t written any books recently and I haven’t been pushing the old ones. As long as the links in my books were still valid, I wasn’t too concerned. But a recent change in responsibilities has allowed me to turn my attention back to writing and promoting books. So, I’m actually writing a new book and it seems like a good time for a reboot. I’m returning to the things I should’ve been doing before, but didn’t have time due to higher priorities. It’s easy to let things slip, and if you don’t watch it, someone will mess with your website. Unfortunately, while I was asleep at the wheel, it killed my search engine rankings for my targeted key terms. I’m choosing to take that as an opportunity to see what it takes to rebuild.

The way the hack works is that you won’t see it if you are looking at the website. If you were to type http://www.timothyfish.net into a browser, you would see the website and it wouldn’t be obvious that anything was wrong. You could probably even do a “view source” and not spot anything out of the ordinary. Where you would see a problem is when you see the site show up in the search results on Google or one of the other search engines. There, you will be redirected to a site selling shoes or jewelry or cheap drugs of some kind. It’s a neat trick, but it’s kind of irritating.

In this case, the hacker edited the index.asp file. I’m not sure if he did it manually or whether he had a tool that would do it automatically, but he added a few lines of ASP code to the file. He checked specifically for whether the request was coming from a search engine crawler or from somewhere else. If it was coming from a crawler, he would display a page that included a bunch of links to his stuff. If it came from somewhere else, he would display the real page. He actually called it the “real” page in his code. He also included some foul language in his code and the names of files he uploaded. He wasn’t trying to make friends, that’s for sure.

As it turned out, the fact that I haven’t been updating the site helped me remove the extra code. I sorted the files by date modified and deleted anything that was newer than about two years ago. I consider that a temporary fix. I’m in the process of updating my website, along with moving to the new server. Instead of everything being at http://www.timothyfish.net, everything will be at http://www.timothyfish.com. The other will redirect to it. I already have the http://www.timothyfish.com/Articles/ directory functioning, though the design isn’t there yet. This will teach me not to ignore my own website. If I’d been paying closer attention, I would’ve spotted it and fixed it already.