Hacking. A cautionary tale…

The Freedom List has been badly hacked.

I’ve also been foolish - but let me explain:

I was away from home last week on a family holiday. We had picked a hotel with a nice pool and good Internet access just so I could keep in touch in case of emergencies while I was there. All was well, the weather gorgeous and the family was having a great holiday.

4 days after we arrived my webhost alerted me that they’d been receiving complaints of spam eminating from my dedicated webserver. They investigated further and deleted some suspicious-looking scripts. They informed me what had been done and told me all was now OK.

Next day, the hotel lost its Internet connection. The hotel IT guy was called in and managed to fix it briefly for an afternoon, but then it went down again.

It was up just long enough for me to check the status of my server and websites. I discovered that all index.php and index.html files on all my web accounts had been replaced with files of the same name which contained (and displayed) #Q8 in the top left corner of the browser. Not only that, but I was unable to log into my server’s WHM (Web Host Manager).

I got onto support and told them what had happened. They advised me to back up all my website accounts, wipe the server clean of all data, reinstall the operating system and then restore all the accounts.

Since I was unable to login myself, I gave them a remote ftp to backup all my website accounts, plus MySQL databases and email accounts (i.e. full account backups).

By now my email-enabled cell phone was my single source of communication.

I received word later that day that all accounts had been backed up.

The site was down and I’d had no time to write informing my members. I was nervous, even if the backup included these corrupt #Q8 files, I hoped I could still just ftp in and overwrite them following the restore. At least there was no evidence of corruption on the databases, that was a relief.

Next day I still couldn’t plug my laptop in anywhere, but hotel staff kindly let me use their stand alone machine with a dial-up behind reception. First I posted a note on my blog incase anyone went there to learn why The Freedom List was down. Then I accessed the ticketing service with Hostgator, learned all accounts had been restored and so I logged into WHM on my webserver.

I looked through the list of restored accounts to see there were 3 unfamiliar ones with suspicious names:

antara-hacking-dan-cinta.info
kancil.cc
sekuritionline-hack.com

I also noticed that two of my accounts, most notably thefreedomlist.com and thefreedomlist.biz had not been restored. I got onto support again and asked them to restore them.

They replied saying there were no backups for these two accounts.

I was incredulous.

I had numerous frantic exchanges with Hostgator trying everything to track down the back ups, checking everywhere incase they’d been placed somewhere else. They conducted a thorough investigation and sent me a report in which they said:

HOSTGATOR’S REPORT

“From what happened I think your account’s username file was missing from this directory. And may be the hackers had destroyed your account’s file even before we attempted to back it up. The username file is missing from this directory only in 2 cases.

1. When the account is deleted.
2. When someone manually deletes it.

Cpanel cannot backup the site with this file missing. May be your account was the main target for this hack.”

Had The Freedom List been targeted? Heck! Why? It was incredulous!

WHAT WAS LOST?

The Freedom List had grown a list of 5,000 since April, it had a forum of over 300 members posting 20 posts a day. It had an article database of over 3,000 articles mostly contributed by members. It had a banner database of 2,500 entries used to promote members affiliate sites to each other.

It was turning over $2,300 a month.

All these things had taken since December to establish and now, 9 months later are no more.

What worried me the most was the members table in the butterfly marketing database. Gone, with a list of 5,000.

But then I remembered I had been using a third-party autoresponder, so the bulk of my list was safely on there. I could at least inform my members and keep them up to date with the site’s restoration.

But what about all the financial data? - The Freedom List works on masspay for paying its affiliates. It uses the Butterfly Marketing script to output a regular masspay file. Now there was no data for it to create this file from.

Again, thankfully, I had made a payment of a few thousand dollard to my affiliates just before I went to France. At least I was reasonably up-to-date with them.

AND WHAT NOW?

We came back to England on Monday 4th September, a day earlier than scheduled and since then I have been gathering together everything I need to bring the site back up.

These are the steps I have taken to secure my dedicated server:

1. I’ve installed a GRsecurity kernel which is apparently less hack prone than the previous kernel.

2. I installed mod_security on apache and applied some generic rules to protect script based hacking.

3. I checked for 777 permissions on all folders and changed them back to 655 when I found any.

4. I’ve scheduled a daily backup to a remote location of all accounts. Depending on how it goes, I might also do a backup to an additional hard disk on the server. For an extra $30 per month, it must make sense.

Anyway, its a few days on now. I’ve managed to put the basic website back together and I’ll add the periphery features such as the article database, forum and banner promoter in due course, as and how time allows with my current other projects.

I’ve learned there are two ways I can think about this:

“If I’d had all this in place before I was hacked, I wouldn’t be in this position now…”

But that merely feeds my despair.

Or, I think thus:

“If this happened in a year’s time, or two years’ time, think how much more I would have lost then. Thank the good Lord I’ve been given a wake-up call to get my server secure before my business gets any bigger.”

WHAT DOES IT MEAN TO YOU?

I’m posting this partly as a cautionary reminder to anyone who is, like me, busy building their butterfly marketing sites. Don’t be too busy, like I was, to let security pass you by.

To all my members and affiliates: Thank you for bearing with me in this difficult time. As I write, I’m afraid you are still unable to log in. I am sorry not to have secured my site against this but I hope, soon to have most of your memberships back up.

I will be referring to my paypal payment records to identify Pro and Gold members so they may continue to enjoy the benefits of their membership. However, all members will need to have a new password sent to them by the system in order to log in.

I have been shocked by this experience but it has strengthened my resolve to succeed. Its unsettling to think that someone apparently targeted The Freedom List with this attack and that it wasn’t, as I’d originally thought, some random hacker. Are your sites safe?

Spammers and Hackers are the universal enemy of Internet Marketers. Like vandals, they’re fighting in a contest they can never win. Having left The Freedom List on autopilot while I work on my next sites, this event has set me on a crusade to make sure this business fights back from its disaster.

I will be launching a Freedom List Revival contest shortly, with prizes and recognition galore. Please keep an ear to the ground for details of how you can participate.

Thanks for hearing me. Now check your security!

Best wishes and better luck to all…

Tim Brocklehurst