The complexity of hacks – A case study

The complexity of hacks – where and why are they doing it?

A poor client was repeatedly getting his site hacked.  All the usual methods were carried out several times.  In the end, we resolved it was a theme hole, and probably a hacked database and a new site was rebuilt for him, identical in looks and content, but totally clean.

A few days before we replaced it I had some time, so I went really looking, following lots of reading and low and behold.  Found a back door.  After so many hours and so many file inspections, visitor logs, I was furious.  Then, I really started to look.

Here is the hack url //wp-includes/pomo/index.php, the pomo folder was hacked and a replacement index page was loaded, with a nice easy upload any file anywhere button.

pomo-hack

Then I was angry, so I set an ambush, I was going to find these buggers.  Replacement page built, removed the upload function and kept the page live.  Then I put in a nice little bit of text to say hello to visitors to that page LOL, and put in some analytics code from a redundant website and set to watch live traffic in analytics.  With that, had server logs open and went about my daily business.

Then I got thinking and did a Google search for the folder string and low and behold look what I found indexed on Twitter?

top-news-index

 

So, I started researching the old mate who was sharing his “work” on twitter with his mates in russia, and then I found the resulting referral page that was receiving the traffic from the hack, very interesting.  Then, strangely, on the old hack page a large and consistent stream of visitors, all from the same domain.

GHOST-VISITS

Ghost visits from a lovely mob in Japan known as guardlink.org.  They also apparently do some nice work from pornhub and a few other domains.  Then it tweaked, I had a client last week that I saw some of these ghost visits in analytics (interestingly these visits do now show up in your server visits logs, but are hacked analytics codes I think in other sites pages or links)

The only way these immediate visitors to the RECONSTRUCTED page, recorded in their systems, could have been triggered immediately after I visited that main linked page from the twitter account reference, that the clients site that had the topnews hack referring to.  Then as a test, remembering the other site the other week I turned on analytics real time, visited the old porn hub link and bingo, the ghost visit and then good old guard link started to fire off.

So here I am now off to find the hack in the site from the other site from the other week.  I will let you know what I find… And, hosting and security is now not just serious, its bloody serious, because it now affects your analytics and maybe your rankings, more to follow…

 

 

 

 

 

 

 

 

 

 

 

 

Back to top ^

Switch to desktop version