My site got hacked. And it was kinda fun.

Programmpower.ru said: FU

I recently got a direct message on twitter from the fantastic Karen Lopez (b|t), who let me know my blog was redirecting to another site — a site called ‘programmpower.ru’.

I don’t know about you, but there’s something strange and just icky about that URL.

Karen is super savvy, so she let me know right off that she was only seeing this when using Firefox when she didn’t specify the www. So while ‘http://littlekendra.com’ was up to no good in Firefox, ‘http://www.littlekendra.com’ was standing strong, and other browsers weren’t having the issue.

Where do you start?

It’s been a while since I’ve worked with stuff like this, but it was a fun challenge.

The first thing I wanted to verify was whether or not people were getting to my site at all when the issue occurred. Were they actually getting to http://www.littlekendra.com and then being redirected afterward? Or were they not even getting there?

This was probably my first question because I know from experience that it’s very easy to answer.

I decided to crack open Fiddler, my favorite old http debugging proxy. “Http debugging proxy” may sound pretty fancy, but this is really just a simple, friendly little tool you can open up which will show you everything your internet browser is hitting.

Then I realized that Fiddler only runs on Windows. I was sad, but this is clearly the very definition of a first world problem (nerd edition). A little searching and I found a Firefox add-in called TamperData that’s quick, free, easy, and did the trick on my Mac.

TamperData said: you’re getting to www.littlekendra.com before you get redirected off to the land of evil.

Oh my. I’ve been hacked.

Maybe I’m getting older and wiser. Maybe once you break something enough times you just stop getting upset. (My description of someone who’s an MCM is “someone who’s gotten into trouble, and then had to fix it. A lot.”)  But I didn’t really mind.

These things happen— if you have a website long enough, it’ll probably get hacked. And these things are usually pretty easy to fix with a little searching.

Is it JavaScript?

If the issue was happening after reaching my site and only with one browser, I thought perhaps there was some JavaScript being executed that was only impacting Firefox. Well, that’s easy to check too– just disable JavaScript in Firefox and see if you can reproduce the issue. Thanks, Rob Farley!  (b|t)

I did that, and the issue still happened.

I guess it’s time to ask the internet…

Sure enough, I did a little more searching and I found that I was very likely the victim of an .htaccess hack.

This is a very powerful little file that you can do all sorts of tricks with. And people can play tricks on you with it. The most common hack is to add a bunch of spaces after what looks like the end of the file, and then to put in a bunch of code that redirects traffic— down where you’ll never think to look. Oh, how devious.

But how did it get there?

Before I fixed the issue fully, I wanted to try to make it difficult for it to happen again. It wasn’t a super-emergency (there aren’t THAT MANY of you reading this live– I know you love your RSS feeds), so I spent a little time looking at fixing the root cause before the issue itself.  Normally I’d do the opposite order in a production environment, but it’s my own website so I do what I want!

I checked with my theme provider, and sure enough there’s a recent fix for a vulnerability that can allow this kind of hack to happen– the Woo Themes Timthumb bugfix. In no time at all I got my site updated by following the guide to update the Woo Framework and my theme.

How do you confirm if it’s a .htaccess hack?

You need to take a look at your .htaccess file. You can’t look at this through the WordPress UI in a web browser, you need to either log onto the host (if you’re running your own), or just connect via the magic of FTP.

I fired up my trusty FireFTP add-on, and got to the difficult task of remembering my user name and password for FTP access. This was easily the hardest part of the fix.

After you connect with FTP, save yourself a little frustration by enabling your FTP program to show hidden files. in FireFTP this is under Tools/Options on the General tab.

Then head on down to the root of your website. This can be configured in different ways, but it may be at web/content. Just cruise on around until you find a .htaccess file, which will probably appear to be grayed out because it’s a hidden file.

FTP that file down to a place on your local system and open it to give it a look. Don’t forget that hacks of this file normally put in a bunch of white space, making it look like the file is normal— scroll down to the end of the file. If this is your issue, you should see a bunch of redirects down there.

How’d I fix it?

First, I saved a copy of the file under a different name. Any time you make a change like this, you want to keep a copy if you can just in case things go from bad to worse.

Then I cleared out all the evil redirecty code and saved the file on my local machine.

I then overwrote the file in my root directory with the modified copy.

Presto-chango— after clearing the cache in Firefox, I could no longer reproduce the issue. The whole thing took less time than it took to write this blog post. And strangely, it really was kinda fun!

Don’t forget to back that up

Now’s a good time to export all your WordPress content (Tools -> Export), dontcha think? I think I’ll go change some passwords for fun, too.

Update

It looks like I missed a step! Here’s a handy WordPress.org FAQ: My Site Was Hacked. There’s a sequence you should follow in your cleanup:

• Change  your passwords;
• Regenerate Wordpress keys and update them in your wp-config.php file (details on how to do this in the FAQ linked above);
• Then change your passwords again.