The domain name was created 18 days ago and is said to be owned by someone named MichellGregory. The IP address says the server may reside somewhere in the Ukraine. The contact information for the site lists Michell as somewhere in the 2767729 zip code with a phone number of 1-387-900 fax: 1-387-900. I tried calling but couldn't get through. Hmmm. Maybe I'll drop him a letter in the mail.
I would like to talk to Michell. I would even pay for lunch just to find out how he might be connected to a recent attack on a number of websites, (one I cared about) that ruined yet another weekend, and most of today, cleaning up after some hackers that spewed their code like some out of control school kids with an attitude problem.
I understand hackers with a cause. We were here! You suck! Obama is Satan. John and Sarah are a perfect match. Whatever. I would never spend my time this way, but i understand it.
Sites that hijack your traffic, and redirect you to pay-per-click adult sites. I get it. It's nasty, but it's a monetary model with a history of generating revenue.
Here's the Warning
If you run a Wordpress site, or any CMS, be alert to any unusual errors. You might see a simple PHP error, either from the front or the admin side of a site. In our case, one of our users was unable to upload a file. Could have just been some harmless permissions setting. What I found was pretty scary.
First some remote access software had been installed on the site. It gave anyone with knowledge to that location full file access to the entire server. A script had been run that appended and inserted some java script into just about every index.html along with random PHP files. (Not actually a great hack, as it should have prepended the code, rather than tacking it on to the end) And inserting it randomly into PHP files? That's a bad plan as all that will do is alert people to the problem. Anyway, it was a mess. Without a clean backup plan, the site would have been toast.
If you should run into this, you can check out Stephan Miller's blog as that's where we exchanged some notes about this today when it was still unfolding.
Oh yeah, one more thing: Don't trust your hosting company to fix these types of events. If they do, consider yourself lucky. Make sure YOU are doing your own backups and have actually tested the restore process.
Hey Michell. If you're reading this, drop me a note. Lunch is on me.