Your Fly Is Open

Netmenaces and Other Internet Stupidity

Your Site Is Compromised: Next Steps

2021-03-03 6 min read

Why you’re here

If I’ve contacted you and pointed you to this webpage, it’s because, in the course of doing research on attackers and attacker methods, I’ve found that your website has been compromised/hacked.

First of all, let’s get this out of the way: I’m sorry.

I’m sorry that this happened, and I’m sorry I was the one that had to tell you. I’ve been doing this for a long time now, and I always feel awful being the bearer of bad news. Telling you is the right thing to do, however, because you need to know.

You need to know because the way your website has been hacked and is being used has the potential to harm your reputation.

 

Proof

So… let’s start by getting you a handle on the problem.

You’re going to do a Google search that will show you all of the pages on your site that Google knows about. To do that, you just need to know the URL for your site - your site’s Internet address (For example, this site’s URL is: yourflyisopen.com).

To see all of the pages that Google has indexed for any particular site, you do a Google search using a special kind of search keyword: site:. In practice, it looks like this:

site:yourflyisopen.com (Click here to see what it actually looks like on Google’s site…)

Now, do that for your own site (remember to use the site: keyword). Scroll through the resulting list of pages. If I’ve contacted you, then you’re going to find some stuff in there that will likely be a surprise. Stuff you didn’t know was there… Stuff you probably DON’T want there. Pages that are advertising drugs, cigarettes, knock-off fashion, etc…, etc…

Note: If you have a ton of content on your site, you can narrow the search down a little bit by throwing in the word “buy” as well (“site:yoursite.com buy”). That’ll find only those pages on your site that Google has indexed with the word “buy” on them - something that these pages generally contain.

I will not notify someone that their site is compromised unless I can confirm it myself. If I’ve notified you, it’s there - please trust me.

So… your site was hacked and is being used by one or more disreputable websites to do what is known as Search Engine Optimization or SEO. SEO is, generally speaking, a means by which organizations attempt to boost their standing in the search results. One way to boost a site’s ranking in search results is for that site to be seen as popular. A way to measure a site’s popularity is simply to count the number of other sites that link to it. If a lot of different sites link to a particular site, that site gets a boost toward the top of search results.

Your site has been hacked and had links put in place, pointing to some scammy site flogging drugs, cigarettes, knock-off fashion, or any of a number of other items. This was done to boost that site’s appearance of popularity.

Again: I’m sorry this happened to you.

Note: If you follow those links, you may or may not actually see the content. If you don’t see content, your site may be displaying it only when Google comes to call. Google has several different programs that “spider” websites and index their content automatically. These programs identify themselves to your webserver as “GoogleBot,” just as your web browser identifies itself as “Chrome,” “Firefox,” or “Edge.” Often, the people who attack sites will fix it so that their hacked content will only be displayed if the browser identifies itself as “GoogleBot.” I have tools that allow me to fake that identification - you likely don’t. If you want to learn more about how all of this happens, I recommend reading about it here.

Additional note: This is a bit more advanced, but if you’re still not convinced, you can take one of the URLs that Google indexes and use this site to see how it looks when visited by a tool with the GoogleBot User-Agent. This isn’t exactly what I do, but it’s close enough that you should be able to see what GoogleBot sees.

 

What to do

If your organization has professional IT staff, they need to figure this out:

  • How did the attackers alter the site?
  • What is the extent of the compromise?
  • You need to understand HOW attackers were able to alter your site and FIX IT or this is just going to keep happening
  • Passwords for all accounts related to the website need to be changed (Seriously. Do this.)
  • If you use a Content Management System (something like WordPress, Joomla, Drupal, etc…), make sure it is up-to-date and that it is kept up-to-date
    • If you use any plug-ins, themes, or extensions - they need to be updated and kept up-to-date as well
  • Carefully check ALL files for signs of alteration - attackers like to leave behind some method of getting back into a site
  • If your site has user accounts, you may be subject to mandatory breach notification laws.
  • If you aren’t monitoring the logs of your site for signs of compromise, you need to start
  • If you aren’t leveraging Google’s Search Console sign up for an account, and monitor what Google knows about your site.
  • Google also has a wonderful site, Help! I think I’ve been hacked!, that goes over a lot of information that you’ll need.

If you don’t have professional IT staff, then you need to find a professional to help you with this.

I AM NOT THAT PERSON.* Please don't ask.

Again: I’m sorry that this happened to you.

I wish you the best of luck in getting this sorted out.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Twitter: @tliston
March 3, 2021

*Here's why: I would really like to help, but cleaning up a site compromise often entails a lot of work, and I just can't justify spending that amount of time without being paid - this is, after all, what I do for a living. But here's the thing: notifying you that your site has been compromised and then expecting to be paid to help clean it up seems dangerously close to ambulance chasing. I also don't think it would be ethical to recommend that you contact someone I know to help you clean things up either. I just don't feel right about getting at all involved in that side of things if I'm the one telling you that your site was attacked. I hope that makes sense...