1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

The mistake I made that might cost me 30k and a rankings drop

Discussion in 'Black Hat SEO' started by BigBlue, Aug 13, 2011.

  1. BigBlue

    BigBlue Regular Member

    Joined:
    Sep 16, 2008
    Messages:
    478
    Likes Received:
    370
    Well today I got hit with a nasty htaccess hack. Somebody hacked my ftp login details and
    changed the htaccess on all my sites to redirect search engine traffic to their site. From looking
    around on the web I believe it was this.
    Code:
    http://www.rockshirtplaza.com/hackTrak/
    This happened while I am selling my site, a site receiving a lot of search
    engine traffic and I am looking to get 25-30k for it so this might end up
    being quite costly since it has made my bounce rate 98% for the past 24
    hours and that will likely affect my rankings.

    After talking with my tech guy and to my hosting we believe the problem was
    my password was too simple... So here's the lesson guys. Make sure important
    passwords like ftp, cpanel, important emails etc. are all very long complicated
    gibberish with capitals, numbers and symbols.

    I have also read I shouldn't be using fireftp a firefox plugin for my ftp
    access because since it uses the browser to connect, there are vulnerabilities.

    So I now use a desktop ftp program.

    Anyways, just wanted to share, so if any of you are currently not using
    long complicated gibberish passwords you will change them now before you
    learn the hard way like I have. I know, dumb mistake on my part, but I am
    sure a few of you are doing the same, and I just wanted to save you the headache.

    Also anyone with any info on further ways to secure a FTP or cpanel login,
    or other vulnerabilities to watch out for, I would love to hear it.

    Edit: if your using wordpress you may have a timthumb.php exploit. Info from Redstone.1337
    Use your cpanel to search your sites for a timthumb.php file and delete it or update if you have one on your site.
    More info here
    Code:
    [URL]http://timthumb.googlecode.com/svn/trunk/timthumb.php[/URL]
    Thank Redstone below for pointing it out. I guess there was an announcement here on BHW too that I
    didn't see. If there is just one site on your server with the file, they have access to all of your sites.
     
    • Thanks Thanks x 5
    Last edited: Aug 13, 2011
  2. midnight_focus

    midnight_focus Power Member

    Joined:
    Dec 2, 2008
    Messages:
    779
    Likes Received:
    480
    Location:
    blogger
    Sorry to hear it, but I guess you will gain your ranking quickly, also check webmaster tools G might mention something about it there
     
  3. redstone.1337

    redstone.1337 BANNED BANNED Jr. VIP Premium Member

    Joined:
    Dec 30, 2009
    Messages:
    1,259
    Likes Received:
    999
    I was also hit with an .htaccess hack today. As told by Hostgator it was due to an exploit in a wordpress theme on one of my site which I guess was caused due to Wordpress Zero Day Exploit using timthumb.php. All the .htaccess on that particular cPanel were injected with codes which were redirecting all my sites to some russian malware site. I went frenzy and deleted one of sites from cPanel which I thought to be the possible culprit. :eek: :( The domains were fucked for more than 2 hours but fortunately my sites didn't loose their rankings.

    Just an advice- Update all the timthumb.php on your server otherwise you might end up loosing some hardwork.
     
    • Thanks Thanks x 1
  4. BigBlue

    BigBlue Regular Member

    Joined:
    Sep 16, 2008
    Messages:
    478
    Likes Received:
    370
    Ah ok it could have been that rather then the password because my site is wordpress. I will check. Thank you.
     
  5. Swiss

    Swiss Power Member

    Joined:
    Jun 3, 2011
    Messages:
    551
    Likes Received:
    323
    Location:
    Take a guess
    I'm very sorry to hear that, I hope it all goes well!

    It's good that you posted this thread, some people will definitely change their passwords if they're weak. Mine is as safe as this one: jdiOUja93.2Adp^1 :D
     
  6. ShadeDream

    ShadeDream Elite Member

    Joined:
    Nov 27, 2008
    Messages:
    2,209
    Likes Received:
    5,230
    Location:
    He who laughs last, laughs longest.
    Well, a secure password is always a must. Having such a site and not having a secure password is a fairly "noob" thing. In regards to my post, I had my reason. Don't worry. ;)

    I'm not even talking about that one, and no, for your information no one else did. If you read the full thread properly you would have known that my complaint was valid, in one way or another. In regards to the rep that I left, well, when someone goes for desperate measures and does something like this:

    [​IMG]

    then they clearly deserve it.

    Anyway, back on topic, too bad, lesson learned. I personally either make up my passwords or generate them using this free and very useful tool:

    Code:
    https://secure.pctools.com/guides/password/
    You should check it out. ;)
     
    Last edited: Aug 13, 2011
  7. NVBpro

    NVBpro Registered Member

    Joined:
    Jul 27, 2011
    Messages:
    94
    Likes Received:
    34
    I'm sorry for you man ..hope this will not happen any more in future ...

    i will create my passwords from now only with a password generator...
     
  8. angelas111

    angelas111 Jr. VIP Jr. VIP Premium Member

    Joined:
    Jan 4, 2009
    Messages:
    1,569
    Likes Received:
    1,016
    Location:
    ohio
    even be careful with desktop ftp because once i got a virus on my puter and it sniffed out my ftp and uploaded some crap to my sites.
     
  9. BigBlue

    BigBlue Regular Member

    Joined:
    Sep 16, 2008
    Messages:
    478
    Likes Received:
    370
    ha, oh yes I remember, you had no clue what you were talking about in that
    thread and I enjoyed watching you blow up taking the thread off it's topic
    (like you're doing on this one) whining about your precious rep going down.
    Was a good laugh. Anyway, you always do this, take a thread off
    topic when someone talks to you. You always have to get in the last word
    and are so worried about your forum rep and image. Just leave it bro, this
    thread is definitely not the place for this discussion...

    Thanks red. I will check out the timthumb. Since my site is wordpress it is
    probably the timthumb file. Plus the password wasn't that simple Yogi1957.
    Capital and numbers. Oh well, I didn't make it and should have know better
    to change it.
     
  10. BigBlue

    BigBlue Regular Member

    Joined:
    Sep 16, 2008
    Messages:
    478
    Likes Received:
    370
    Ya I have had my comp scanned a few times to make sure I don't have a logger that is checking what I'm typing.
     
  11. ShadeDream

    ShadeDream Elite Member

    Joined:
    Nov 27, 2008
    Messages:
    2,209
    Likes Received:
    5,230
    Location:
    He who laughs last, laughs longest.
    I just don't like fake people and actually I am keeping the thread on topic. In regards to exploits, you can take a look at:

    Code:
    http://www.exploit-db.com/webapps/
    It's a good site to monitor and keep track off.

    Edit: Or this one:

    Code:
    http://1337day.com/
    You choose. :)
     
    Last edited: Aug 13, 2011
  12. BigBlue

    BigBlue Regular Member

    Joined:
    Sep 16, 2008
    Messages:
    478
    Likes Received:
    370
    Hey I searched my sites and found the timthumb file on one of my sites that
    was on the same ftp account and hosting, but the timthumb file wasn't
    found on my main site and most of my other sites had their .htaccess
    played with aswell. So do they just need the timthumb file on just one of
    your sites in order to get access to the ftp or does it only give them
    access to the site that has the timthumb file on it? I deleted the timthumb
    file on the site I found it on.
     
    Last edited: Aug 13, 2011
  13. ShadeDream

    ShadeDream Elite Member

    Joined:
    Nov 27, 2008
    Messages:
    2,209
    Likes Received:
    5,230
    Location:
    He who laughs last, laughs longest.
    ...

    Code:
    http://www.blackhatworld.com/blackhat-seo/blackhat-lounge/337505-wordpress-zero-day.html
     
  14. redstone.1337

    redstone.1337 BANNED BANNED Jr. VIP Premium Member

    Joined:
    Dec 30, 2009
    Messages:
    1,259
    Likes Received:
    999
    All my sites were infected just because of a single timthumb.php in same cPanel account. And do not delete the timthumb.php as it is used by wp themes to resize images rather replace it with the updated and secured version.

    Link- http://timthumb.googlecode.com/svn/trunk/timthumb.php
     
    • Thanks Thanks x 1
  15. ShadeDream

    ShadeDream Elite Member

    Joined:
    Nov 27, 2008
    Messages:
    2,209
    Likes Received:
    5,230
    Location:
    He who laughs last, laughs longest.
    It's kind of hard to miss it, the thread is in the announcements...

    In regards to your question, they (whoever hacked you) only needed access to the site that had the timthumb file in order to access all your other sites as long as they were within the same account.
     
  16. BigBlue

    BigBlue Regular Member

    Joined:
    Sep 16, 2008
    Messages:
    478
    Likes Received:
    370
    Damn, nasty bug. Well the site that had it I wasn't really using, so I just
    decided to delete it rather then update.

    Thanks for the help red. It probably was the timthumb file, guess the tech and
    hosting guys were wrong. As shade already pointed out, there is already some
    threads on here warning about the timthumb exploit. I guess this will be just
    another warning. Use your cpanel to search your sites for a timthumb.php
    file and delete it or update if you have one on your site.

    Guess I should have been reading bhw a little more often, would have
    warned me ahead of time about the timthumb exploit :rolleyes:. Some terrible
    timing for someone to exploit my site.
     
  17. eternalfrost

    eternalfrost Regular Member

    Joined:
    Apr 9, 2011
    Messages:
    213
    Likes Received:
    54
    [​IMG]
     
    • Thanks Thanks x 1
  18. ninny83

    ninny83 Junior Member

    Joined:
    Aug 13, 2010
    Messages:
    100
    Likes Received:
    12
    I've had the same problem too.

    I've disabled ftp connects and added only sftp.

    I've installed wp file monitor to get a mail alerts for each files thats has been changed/deleted/added on my server....
     
  19. EvilPlankton

    EvilPlankton Junior Member

    Joined:
    Jun 16, 2011
    Messages:
    108
    Likes Received:
    20
    Early detection can be critical under circumstances like this. I suggest folks use a 3rd party keyword monitor on their sites. There are free ones (like uptimerobot dot com) that will scan your site for keywords every minute or so. If the keyword disappears (like it probably would with a redirect), you would be paged or emailed within minutes.
     
  20. xhanuman

    xhanuman Junior Member

    Joined:
    Sep 28, 2008
    Messages:
    113
    Likes Received:
    111
    Keyscrambler is another way to thwart key logging - or so I hope.