February 18th, 2009 by Dave
Google hijackers from crackers; check your HTACCESS
Category Google, Industry | 55 comments »
When’s the last time you looked inside your website’s HTACCESS file? It really should become a part of your monthly (ack, weekly? daily?) audit routines. There could be gremlins at play you see…
Ok, here’s the gig, one day a mate comes along as asks me, “You mind Googling Twitter?” and I told him to mind his manners as I didn’t go for that kind of thing. Anyway, obliging him, the mighty Google was consulted and from what I could see, the oracle of the ‘Plex was behaving as normal.
Upon pressing for details as to what exactly he is seeing he sends me this;
As you can see the top results are for an Anti-virus website… NOT for Twitter
Being the curious type, I inquired with a few other folks to see what they were seeing. Sure enough, we were all seeing the proper set of results. Fair enough, it sounds like the hull has been compromised and he’s taking on water.
As we backtracked it seems there was a search result that had a peculiar behavior earlier that day. Upon clicking the top result in Google his AV software had done the jig, (although it may have been the Trojan mimicking to gain access). I went over to the website in question – and nothing.
I then searched the website in Google and clicked on the listing – voila! Sure enough you we’re redirected and a pop-up prompted to do a ‘security scan’ cough cough. This behavior ONLY happened when accessing the site via Google.
The HTACCESS Gremlins
What could this be one wondered. Certainly the mighty Goog’ has not fallen pray to wrong doers have they? After all they say they’ve done it before;
Naw, that couldn’t be it.
Initial suspicions leaned towards the site being hacked, but the site administrator was as confused as a link baiter on truth serum, no hacks could be found. To be on the safe side, a few of those in the know, information retrievers, were consulted and one specializing in rarefied AIR (adversarial information retrieval) had the answer. Check the HTACCESS file; which was an enlightening journey.
You see kind reader, they had gone in and were redirecting ONLY the traffic from Google which then prompted and had caused the computer to be infected. Then, on subsequent searches they were intercepting it and sending back their own (modified) Google results. The sneaky little buggars.
Make it a part of your site audits
You can just imagine the reputation problems that could come from this not to mention its potential for sabotage. While this may not seem like the domain of the SEO, having low search engagement and possibly infecting visitors is sure to have negative effects ultimately. No matter how you look at it, from hacking to put nasty (outbound links) on competitor sites to redirecting incoming SERP requests, this is something SEOs need be aware of.
In the modern world of SEO, close ties with the security and system administrators is key. Everyone needs to be aware of the potential for such attacks and be vigilant. A lot of time and money (into search campaigns) could easily be washed away and replaced with a reputation management problem.
What to watch for - This type of attack is often found when you are using a CMS or WordPress type installation that requires the htaccess to be writable (such as SEF URL creation). To guard against it, be sure to chmod your hataccess so the at it’s not writable until you need to publish something new – then make it writable, create pages and then set it back again.
…. Something to consider…
Popularity: 71% [?]
February 18th, 2009 at 10:45 am
Interesting stuff.
Is the moral of this story to make sure you CHMOD your .htaccess file to 644?
Or was there something more nefarious at work?
February 18th, 2009 at 11:10 am
Most certainly… and peeps that are using a CMS or WordPress might want to consider a strategy. These systems often require the htaccess to be writable…
How they got access to the server in this case, I am unsure, they either didn’t know, or weren’t willing to tell me.
But ultimately, locking down the htaccess is the prudent course of action most certainly.
February 21st, 2009 at 10:32 pm
thanks for that…any brief instructions how to …
“be sure to chmod your hataccess so the at it’s not writable until you need to publish something new – then make it writable, create pages and then set it back again.”
Thanks
February 22nd, 2009 at 7:37 am
So it was twitter that was compromised?
February 22nd, 2009 at 5:32 pm
I find it kinda crummy that there is always someone trying to cheat the system and win. hope we all leanred a lesson from this one I will be sure to check my htaaccess files regularly…
February 24th, 2009 at 6:15 am
You could also chown your htaccess file so that apache is the owner:
chown apache path/to/.htaccess
Then chmod it to 770 (wrx for both owner and group, no world permissions)
That allows apache (and users with proper access) to write to the file, as well as to read the file, while not giving any other permissions to otherwise outside users/attackers.
Of course that wouldn’t help if the CMS system (or an extension/plugin for it) were the actual culprit, rather than an outside attacker.
And don’t forget to back that truck up! (truck being the server in this case)
February 24th, 2009 at 8:16 am
Now, it wasn’t Twitter, it was the website serving up the Trojan – once it installed it self, it modified popular Google searches… in this case, for Twitter.
February 26th, 2009 at 7:02 am
Wow, this is something that never even crossed my mind. Will definitely be adding it to our future site audits, for our site and for our client sites.
February 27th, 2009 at 6:22 pm
Wow… very enlightening. Off to check my .htaccess file. Thanks!
March 2nd, 2009 at 1:31 pm
I had a site hacked once. The host said it wasn’t due to some oversight on their part, but sure as you’re born the buggers got in and banged up the place. I always thought security was the host’s responsibility. What happened to me certainly opened my eyes. And now I see, if they can do it to Twitter, they can do it to anybody!
March 7th, 2009 at 1:45 pm
Great post!
This has been something I was looking for a solution to and now I have the answer… Thanks
Regards,
Karl
March 10th, 2009 at 7:17 am
Wooew.. a huge search engine such Google can be cheated by a Trojan??
March 17th, 2009 at 8:20 pm
awesome
March 19th, 2009 at 3:54 am
Very nice
thank
March 20th, 2009 at 9:11 am
thanks for the heads up.is it only involve twitter?
March 23rd, 2009 at 10:42 am
Thanks for enlighting this dint know this at al ..
April 3rd, 2009 at 5:23 am
You can just imagine the reputation problems that could come from this not to mention its potential for sabotage. While this may not seem like the domain of the SEO, having low search engagement and possibly infecting visitors is sure to have negative effects ultimately. No matter how you look at it, from hacking to put nasty (outbound links) on competitor sites to redirecting incoming SERP requests, this is something SEOs need be aware of.
April 3rd, 2009 at 10:19 pm
Wow! That’s very important to keep an eye on! Thanks for sharing.
April 4th, 2009 at 10:10 pm
If you are using a virtual hosted account that has many other users on the same machine, this is well needed information for you from David.
Now the good part, you can chown the file to only your username on ‘most’ virtual hosting solutions and allow it write access by your CMS while not allowing other users to write to it. Take a peek at the unix command chown to learn more.
April 7th, 2009 at 9:44 pm
WordPress does not require your .htaccess to be writable once you’ve done the initial permalink structure configuration, so it’s safe to make it read-only on established WordPress sites.
April 10th, 2009 at 8:44 am
Twitter wasn’t hacked – his computer was hacked through his website. Subsequently, all major (popular) google searches were transferred back to this trojan’s website through his personal computer.
The Trojan didn’t affect Twitter, it effected his PC and in turn, most Google searches were not correct.
I’m also curious how you found out that the Trojan affected you through your website. Was there something in the HTACCESS file or did you just assume that was how it got infected because it was writable.
Best Regards,
Robert M. Cavezza
April 13th, 2009 at 12:40 pm
Interesting information but can you simplify it for those of us who are not so tech savvy? Example; What is step one, in detail? What is step 2, in detail and so forth?
Thanks,
April 13th, 2009 at 11:49 pm
Thank You
April 14th, 2009 at 11:28 am
Thanks for the information. It was helpful and informative.
April 16th, 2009 at 9:02 pm
You Rock David, thanks for the trickle down.
peace.
April 17th, 2009 at 6:20 pm
Ah ha, so that is the why, from time to time when clicking on Google results (labled Green by McAfee Site Advisor), I end up on “bad sites” instead of the intended destination. (Thus far I have never “reached” a bad site because my browsing is stopped by the Google “Safe Browsing” feature.)
I would never even consider allowing a client’s .htaccess file to be writable. “SEF URL creation” should be done by the CMS and only intrepreted by the .htaccess file.
April 20th, 2009 at 2:39 am
thanxs
April 20th, 2009 at 3:10 am
very cool
April 24th, 2009 at 6:27 pm
very good thank you
May 10th, 2009 at 8:10 am
hi great articale iam new to this cms thing I use joomla for my church web site could you please tell me in laymens terms how to check my htaccess file and what should be in it to start with
i only allow
supervisor level persons to access site
also what does this mean htaccess file to 644?
many thanks
May 11th, 2009 at 10:33 pm
Where is the .htaccess compromised code? Nice story but where’s the data and solution? Disappointing that such a potentially important article is incomplete concerning the most important facts, how the bad guys accessed the .htaccess file and what the hack looked like…
vbplusme
May 29th, 2009 at 11:22 pm
So I only have to worry about this if I have an Apache server, right? Windows nothing to worry about…not sure, can somebody enlighten – or I guess I can research on google.
June 1st, 2009 at 11:22 pm
I have had the same issues clicking from top Google search results. I am checking my .htaccess right now. thanks
June 9th, 2009 at 2:00 pm
Interesting but would love to see an example of what an infected files looks like
June 9th, 2009 at 7:47 pm
nice post… very informative… thanks
July 5th, 2009 at 2:47 pm
hey Daivid!
Thank you very much for this info, because i am a newbie and my programming skills are almost nothing, but I learn everyday something new:) The other day WP plugin WassUp stats showed me that my blog had hack attempt and I was so nervious, that maybe something happened, but now, after reading your article, I can be a bit calm…just changed chmod in my file manager:)
Thanks again!
Inga
July 17th, 2009 at 11:27 am
Thanks for your share. Great article for seo and google
August 3rd, 2009 at 10:46 am
Holy crap! I was wondering what was wrong with my search results, thanks for the info.
August 7th, 2009 at 1:43 am
well i liked it really good stuff on .htaccess but still i am not clear on it how did it happened..
August 18th, 2009 at 1:51 am
What about setting up a cron job to recreate your htaccess file daily or something like that? Any comments on this?
August 19th, 2009 at 12:58 pm
thanks very much for your posting. Honestly say, I didn’t realize this problem before this, thanks again.
August 21st, 2009 at 4:56 pm
mmm, I don’t understand? I don’t see any anti-virus software in the snip-it page from Google? -1st result is Twitter what are you doing?, I am clearly missing the plot?
August 27th, 2009 at 6:58 am
Wow… very enlightening. Off to check my .htaccess file. Thanks!
August 29th, 2009 at 11:41 am
So, how are people writing to the files without access?
September 24th, 2009 at 11:00 am
Definitely good post, Im gonna see if I can actually incorporate it now into what I do, thx again.
September 29th, 2009 at 2:29 pm
Interesting I never thought of that. I have the mozilla firefox safe browsing feature so I tend to stay in good neighborhoods but you make a good point.
October 22nd, 2009 at 3:12 am
Its really a great post especially for me David.
thanks for the information!!
October 24th, 2009 at 10:21 am
Answer to post #31 & £32
Two ways: you can find the software in hackers forum( SE’ it) or hire a coder/hacker to create the software for you.
October 24th, 2009 at 1:30 pm
Thanks, another necessary thing to keep my eyes on.
October 30th, 2009 at 8:31 am
Do I need to be concerned this could happen on static sites, or only dynamic sites? BTW ~ My computer was displaying similar “correct” google results a while ago, but upon clicking any of them I was transported to various spam-like sites. I have no idea what caused it though…
November 3rd, 2009 at 8:33 am
This concerns me greatly because I’ve seen a lot of questionable results on Google showing dozens of websites that had no content other than the keyword(s) in amongst bible prose. The website titles and content had no relationship to the search term at all.
When I attempted to visit these sites my browser warned of a virus/trojan.
I believe Google has since discovered this problem – I warned them dozens of times about these crazy results and now I don’t see them anymore.
I fear my own website has been “infected” and I’ve lost a huge amount of traffic as a result and probably had the website blacklisted. Somebody told me my sites were blacklisted although I could not find any proof of that. Just very poor visitor numbers despite being near the top of Google
searches for those key words
November 30th, 2009 at 10:43 am
Good post, I never ever check my httaccess file. I will from now on of course.
Kevin
December 8th, 2009 at 7:16 am
woow my experience will grow wealthy?
January 12th, 2010 at 2:36 am
actually i ever hear about the issue of hijacking on 2009 ago. but never got any clear information about.
anything can we do against the such issue? anyone here could reveal any breaktrough?
January 14th, 2010 at 9:30 am
I too am asking if you would give more detail on how to access the info, and what to look for to fix this, please,,,
thank you for this post.
thank you kathy