Special offer
Home > Blogs > Marte Cliff > The Real Estate Copywriting Blog
bookmark_border

A Quick Warning...

By
Services for Real Estate Pros with Marte Cliff Copywriting

Earlier today I wanted to put a link to my Real Estate Career Builder course on my blog post.

When I insert a link I like to go to the page in question and do cut and paste with the URL so that I don't accidentally type it in wrong. But this time I couldn't get there by typing in www.promotemyrealestatecareer.com

The only way I could access the site was to add "/index.html" to the end of the URL. I thought it was just my computer so sent the link to my son to see if he could use it. No, he couldn't. But then it was time to go cook dinner so I didn't get back to worry about it until tonight.

I started checking and found that the ONLY one of my subdomains I could access was the one that is a Wordpress blog. So, I called GoDaddy.

What we found was that on September 4 someone, somehow, had uploaded a file called "index.php" to every one of my sub domains.So my home pages have essentially been missing for almost an entire week.

Talk about good marketing!

I have no idea how someone got access - and if someone figured it out and told me I'd never understand because I'm so non-techie - but all of the uploads were done within a few minutes of each other. Someone knew how to get in and play tricks.

Go Daddy is doing a scan and checking for other nasty stuff - and trying to figure out how this was done. In the meantime, they had me rename all those files rather than delete them. I'm not sure why. The good news is that all my domains are working again.

So... be careful. Go to your own site every day or so to make sure nothing similar has happened to you!

When you're counting on your website to gather leads, having it disappear is not a good thing!

Take care!

marte at http://www.copybymarte.com
www.copybymarte.com

Comments(58)

Subscribe to Comments Comment
Submit
Show All Comments
Mary Ann Daniell Realtor
Coldwell Banker United, Realtors - Subsidiary of NRT LLC - Killeen, TX
Delivering Successful Results Since 1999

I have no idea what all this means, but I'm going to have my webmaster check it all out!  Thanks for the heads up.

Sep 11, 2009 09:47 AM
Marte Cliff
Marte Cliff Copywriting - Priest River, ID
Your real estate writer

Mary Ann - good for you! I wish I had a webmaster to figure it out for me!

Sep 11, 2009 11:11 AM
Marte Cliff
Marte Cliff Copywriting - Priest River, ID
Your real estate writer

Hi Erica - I sure do. And I've never been very good at foreign languages!

I guess the bottom line with this was that I should have installed every Wordpress update. But now that I have one site completely disabled I have no clue about what to do with it. I may just junk it.

My other son said "Why didn't you back up the wordpress files?" Well, I might have if I had a clue about HOW to do that. He can be smug  because he understnands that foreign language.

Therefore - I think he should set all his own work aside and take care of mine. Don't you think that would be a good idea?

Sep 11, 2009 01:22 PM
Christine McInerney
Great Life RE - Knoxville, TN
The McInerney Team, Knoxville TN Homes For Sale
I just do not understand why someone would bother and waste their time and energy.
Sep 11, 2009 01:38 PM
Damon Gettier
Damon Gettier & Associates, REALTORS- Roanoke Va Short Sale Expert - Roanoke, VA
Broker/Owner ABRM, GRI, CDPE

they really need to pass some laws with teeth in regard to all of this Internet sabotage.

Sep 11, 2009 01:57 PM
Lane Bailey
Century 21 Results Realty - Suwanee, GA
Realtor & Car Guy

I don't know if the GoDaddy control panel has Simple Scripts for installing and maintaining your sites, but if it does, that is a great tool to keep everything up to date simply. 

Sep 11, 2009 04:36 PM
Roland Woodworth
Blue Cord Realty - Clarksville, TN
Blue Cord Realty

oh my... this is pretty scary that someone was able to get into your account and play these type games

Sep 11, 2009 05:01 PM
Tammie White, Broker
Franklin Homes Realty LLC - Franklin, TN
Franklin TN Homes for Sale

Wow that's incredible.  Thanks for the heads up.

Sep 11, 2009 05:04 PM
Marte Cliff
Marte Cliff Copywriting - Priest River, ID
Your real estate writer

As near as I can figure out, my domains weren't targeted specifically. It all has something to do with a worm in the old version of Wordpress.

Since all this started I've learned that I should have been updating every time I saw a notice that an update was available. So... if you have wordpress, heed those notices and update every time!

Damon - I think there are laws. Every once in a while I hear about someone going to jail for internet crime. But since whoever created the worm could be anywhere in the world, it would probably be pretty hard to punish them.

I really think the point of all this is that someone just needs to show their power - prove that they can do it. Seems kind of sick to all of us, but fills a need for them.

I'm still trying to figure out a way to get one site back. The others appear to be working now.

Sep 11, 2009 06:27 PM
Missy Caulk
Missy Caulk TEAM - Ann Arbor, MI
Savvy Realtor - Ann Arbor Real Estate

marte, Word Press has been under attack for weeks now. I updated mine this week, well not actually me, because I am scared to death of touching anything but  fellow rainer here updated for me.

DM'd me on Twitter and told me to do it NOW. So he did.

Godaddy should know about this problem, been all over Twitter and the net.

When WP does an update, it is usually for security bugs they have found.

Those darn hackers.

Sep 11, 2009 10:44 PM
Anonymous
Thomas J. Raef

I don't want to seem like a know-it-all but, it sounds to me like this wasn't the Wordpress worm since you stated that it hit some of your other websites as well.

I do website security and I've read the responses here and thought I would shed some light on the situation.

First of all, when something like this happens I look for the common denominator, which unfortunately is you Marte. What hackers do is infect as many computers as they can with a virus. I know everyone runs an anti-virus program on their computers but anti-virus programs are easy to bypass, trust me.

What the virus does is it steals your website login information. I don't what program you use to update your website, but most people have the program store the username and password so they don't have to retype each time they want to update their website. The virus knows where this information is stored so it finds it, reads it and then sends it to a server that's waiting. When the server gets the login information it automatically logs in to your website, modifies the files and then moves on to the next website. I've seen this happen on thousands of websites a day.

Many people, after hearing this think, "I'm not going to store my username and password in my software any more". But the virus has already been programmed to handle this. It's also a keyboard logger. So when you open your program and type in the username and password, it records it from your keystrokes and then sends it to the server and...

If I were your website security guy, I would recommend that you install a new anti-virus program on every PC that's used to update your website. Why? Because the virus already knows how to evade detection of your current anti-virus program. I've been recommending AVG, Avast, Avira or Malwarebytes and they've worked well for many. If you're already using one of these, then install one of the others listed. It has to be different from what's currently being used.

Step 1. Install a new anti-virus, scan and clean every PC with login information to your website.

Step 2. Change your password to your website. Most people use FTP to update their website, this password and all passwords need to be changed on the website.

Step 3. Clean your website from the infection. If you have a good backup of your site, then re-upload the infected files from your backup. If you don't have a good, clean backup then you'll have to have someone clean the files for you. I'll go out on a limb here and offer to do it for free.

Step 4. Your site has probably been flagged by Google as being suspicious which means people using Firefox or Safari as their browser will get a big warning if they try to go to your site. You have to request a review with Google.

This virus is very sneaky but I believe it may be how your site was hacked.

One more thing for those who don't understand why hackers do this. They get paid to do it. The more PCs they infect the more junkware they install on PCs, the more money they make. There are people who pay to have their junkware installed. A hacker can remotely install this junkware on thousands or millions of PCs and make 30 cents for every install. Multiply that by thousands and you have a nice income while sitting in some country where the average monthly income is less than $1,000 US.

Sep 11, 2009 11:45 PM
#49
Stacy Nelson
Keller Williams Realty, Temecula - Temecula, CA

Thank you for the reminder... sometimes we all need to remember to check the oil on our marketing vehicles!

Sep 12, 2009 01:25 AM
Dawn Maloney
RE/MAX Trinity Northeast Ohio Real Estate Specialist - Hudson, OH
330-990-4236 Hudson & Northeastern Ohio

Marte, I've had this happen, what a pain! #49 comment is very insightful - I'm lucky...my husband is an IT professional, and he cleans up messes like this with me. He can remotely help you from here if you don't have a tech close by. Let me know if you need anything else!!!

Sep 12, 2009 04:27 AM
Marte Cliff
Marte Cliff Copywriting - Priest River, ID
Your real estate writer

Missy - I don't know how I missed all that informaion. But I haven't been on Twitter much lately, and seldom go to Facebook or the others. Just can't find the extra time!

Stacy - I just hope my experience will keep someone else from the same thing.

Dawn - You are indeed fortunate. I know there must be a smart tech person somewhere in this community, but I haven't found them. I do have friends who have found the WRONG ones!

Thomas - Thank you for all this. My mind is now spinning. I'm so non-tech that I get scared just thinking about all this.

It sounds like the first step is to get another anti-virus and install it. I already have AVG and Malware Bytes. Do I have to uninstall one or both of them first?

I changed my password yesterday - but just one. Are there others somewhere? My Godaddy account is set up so that one domain is the primary one and it "hosts" the others. I never can remember the right jargon for that, but I expect you know what I mean. I just log in to one domain to upload to all of them.

Backup - all of my "regular" files are on my hard drive - but none of the Wordpress posts or pages. I have never figured out how to do that - only heard that annoying phrase "You can."  I hate it when instructions say "you can" but then don't say how. And of course, if the instructions were there and in tech-speak, I still wouldn't know how.

Most of my files are also backed up to an external hard drive. I don' t get this done every day or even every week, but most of them are there.

How would I know if those are "clean" files? For that matter, how would I know which uploaded files are infected?

What we found was that each of my domains had received a file called index.php When I either deleted or renamed that file, my sites were visible again.

That caused a blank page to come up when I tried to go to any of my domains. The only one that wasn't affected was the one that is only Wordpress - and that's the one that doesn't work now that I updated Wordpress. Since I don't know how to back up those files, should I assume that the posts and pages on that site are gone for good?

In step 4 - How does one request a review with Google?

And finally, what is the point? You say they're paid to do this, so someone must benefit. What is the benefit?

I'd be happy to take you up on your offer - but it looks like there's some work I need to do first. Right?

And right now, darn it, I have to leave for several hours. When I get home I'll go in search of one of the anti-virus programs you mentioned.

Thanks again,

Marte

 

 

Sep 12, 2009 04:56 AM
Anonymous
Thomas J. Raef

Marte,

Did you not have an index.php on your site before? That's is one of the typical "home" pages for a website so maybe they uploaded an index.php to other directories, but the main one was yours from before, just with some bad code inserted into it. So maybe that one just needed to be cleaned.

Your posts and pages for Wordpress are stored in a database on your site. Again, if you need help getting that back up and going, let me know. Since our online service isn't up yet, all I ask for is a testimonial that I can post on my website in return for helping you out - that's all.

In Step 4 to request a review from Google, you'll have to login or create a Webmaster account in Google's Webmaster Tools. Then you'll have to verify that you're the owner by inserting some code on your site and selecting a button on the Tools page titled "Verify". Then you'll see a brown bar in the Google Webmaster tools that notifies you that your site is listed as suspicious. When you click on that you'll see a link that says, "Request a review". That notifies Google that your site has been cleaned and ready for them to look at again.

Let me know what you want to do...

Sep 12, 2009 11:50 AM
#53
Marte Cliff
Marte Cliff Copywriting - Priest River, ID
Your real estate writer

Thomas... Could you send me your email address so I could contact you? You can reach me at

writer@marte-cliff.com.

 

Thanks,

Marte

Sep 19, 2009 07:32 PM
Anonymous
Thomas J. Raef

Marte,

I have responded to your request and sent you an email. My offer extends to all other readers here as well.

It's laborious and time consuming, but it's the cause I'm dedicated to. Besides, we always learn something new from every client we help. Education is priceless and helps us to improve our service.

Thank you.

I look forward to working with you Marte.

Sep 20, 2009 01:54 AM
#55
Marte Cliff
Marte Cliff Copywriting - Priest River, ID
Your real estate writer

Thanks Thomas - that's very generous. I've written you back...

Did you know that your comment link is not live? That's why I wrote you via this blog...

My guess is that there are others here who would avail themselves of your offer, but they need an email address, or at least a link to you here on Active Rain.

 

Sep 20, 2009 05:40 AM
Anonymous
Thomas J. Raef

Marte and others who might need my assistance,

I can be reached via email at: traef@wewatchyourwebsite.com

If you'd like to learn more about me, please Google "Thomas J. Raef" with the quotes. You'll see how active I've been online helping those with hacked websites. You'll also find me frequently on www.badwarebusters.org.

My offer stands to anyone who reads this. I'll help you clean your site, or detect possible points of intrusion - for free.

Thank you.

Sep 20, 2009 07:08 AM
#57
Marte Cliff
Marte Cliff Copywriting - Priest River, ID
Your real estate writer

My website is fixed, thanks to Thomas Raef... please see my new post for the details:

From Total Frustration to Peace in One Easy Step

 

Again... Thank You Thomas!

 

Marte

Sep 23, 2009 11:18 AM
Back to Top

What's the reason you're reporting this blog entry?

Are you sure you want to report this blog entry as spam?