Website Essentials office is a virtual one. We aim to support phone enquiries on 1300 932 661 from 9am to 5pm Australian Eastern Time most days from Monday to Friday... For URGENT support please call 0417794669 or click this slider for full contact details.......

The complexity of hacks – A case study

The complexity of hacks – where and why are they doing it?

A poor client was repeatedly getting his site hacked.  All the usual methods were carried out several times.  In the end, we resolved it was a theme hole, and probably a hacked database and a new site was rebuilt for him, identical in looks and content, but totally clean.

A few days before we replaced it I had some time, so I went really looking, following lots of reading and low and behold.  Found a back door.  After so many hours and so many file inspections, visitor logs, I was furious.  Then, I really started to look.

Here is the hack url //wp-includes/pomo/index.php, the pomo folder was hacked and a replacement index page was loaded, with a nice easy upload any file anywhere button.


Then I was angry, so I set an ambush, I was going to find these buggers.  Replacement page built, removed the upload function and kept the page live.  Then I put in a nice little bit of text to say hello to visitors to that page LOL, and put in some analytics code from a redundant website and set to watch live traffic in analytics.  With that, had server logs open and went about my daily business.

Then I got thinking and did a Google search for the folder string and low and behold look what I found indexed on Twitter?



So, I started researching the old mate who was sharing his “work” on twitter with his mates in russia, and then I found the resulting referral page that was receiving the traffic from the hack, very interesting.  Then, strangely, on the old hack page a large and consistent stream of visitors, all from the same domain.


Ghost visits from a lovely mob in Japan known as  They also apparently do some nice work from pornhub and a few other domains.  Then it tweaked, I had a client last week that I saw some of these ghost visits in analytics (interestingly these visits do now show up in your server visits logs, but are hacked analytics codes I think in other sites pages or links)

The only way these immediate visitors to the RECONSTRUCTED page, recorded in their systems, could have been triggered immediately after I visited that main linked page from the twitter account reference, that the clients site that had the topnews hack referring to.  Then as a test, remembering the other site the other week I turned on analytics real time, visited the old porn hub link and bingo, the ghost visit and then good old guard link started to fire off.

So here I am now off to find the hack in the site from the other site from the other week.  I will let you know what I find… And, hosting and security is now not just serious, its bloody serious, because it now affects your analytics and maybe your rankings, more to follow…













Switch to mobile version
Switch to mobile version