Go to ...

RSS Feed

July 11, 2020

Fighting the hijackers – Part Two


Just over a month ago, we noticed that Win10.guru had been partially hijacked. Those using the secure HTTPS URL had no issues accessing the site, but visitors using an HTTP prefix, or those giving no URL prefix, were redirected to a number of Russian, Chinese, Korean and Japanese websites full of ads. I wrote about it on May 11: War Stories – Fighting the hijackers.

I’m happy but exhausted to report that our site is now finally and absolutely secure. No more hijackers, no more unauthorized redirects. But, following Ed’s and my guidelines about being honest to our readers, I want to summarize the travail of the past few weeks. It’s been unbelievably awful.

The day I wrote that story, I thought our troubles were over, with only some fine tuning remaining and our site up and running normally again. Except, it wasn’t. That same evening,  I signed into the domain admin panel with a valid username, strong password, customer number, PIN, and 2FA code from my Microsoft Authenticator app. Immediately, I noticed some files, including the all-important HTACCESS file (it takes care of automatic HTTP to HTTPS redirect) had been edited shortly after I had restored the correct ones from backup only an hour or so earlier. I could almost see it in real time how hijackers were creating false redirect links and folders to override our secure and correct site settings. Here’s an example: on one evening in late May when I had once again cleaned the site with some help from GoDaddy (our hosting provider, but not for much longer!), hijackers had created folders highlighted in the following screenshot within 12 hours:

Click screenshots to open in new tab.

At the same time, Google Webmaster Tools informed me that our site included redirect links created by hijackers.

Every time I won a fight, I noticed that the war was still going on and  a new fight started. At one point it went so far that I had to create a 100% secure and clean staging site (a kind of backup of the live site), and we had to create new content on that staging site, then override the live site by syncing that staging site to the live site. This helped only for a few hours each time. Soon after a cleanup, new bogus folders and redirect links would be created. At this point, I started to get really annoyed because of the level of support I got from GoDaddy. That culminated in these Twitter direct messages I sent to them last weekend, late on Saturday night and into the early AM hours on Sunday:

Cleaning the malware helped, until next day when new malware was re-injected.

By the way, you see that grey checkmark next to time stamp in those messages? It means that message has been delivered, but receiver has not opened / read it yet. Screenshot was taken yesterday Monday, but checking Twitter just now, over 50 hours after I sent my messages to GoDaddy Support, they haven’t read them yet. Compare to blue “Message read” checkmark from my message a week earlier:

Since early May, I have been spending countless hours on this firefighting. It has involved an incredible amount of email correspondence with support, at least two or three phone calls a day, each lasting at least 45 minutes. The only exception occurred on two days when I was so sick and tired that I did not contact them at all. But please: rest assured that since Monday, https://Win10.guru is as secure as possible. We have instituted a new, tighter firewall, tighter rules, and added enhanced website security. I am at the moment changing passwords on a daily basis, in addition to having always used 2FA. We will (of course!) change to a new hosting provider as soon as we can find one who can guarantee better website security and better support.

Please notice that now as we finally have won the war, we also must admit we had some “casualties”. For reasons unknown to me, we lost all content between the 22nd and 29th of May, including all reader comments during that period. I also noticed yesterday evening when doing final checks, that not a single subscriber email has been sent since May 22nd. We get an email about “Campaign sent”, although in fact the emails are not sent. On our side, everything is exactly as it should be. Since yesterday, I have already been on the phone about three hours with support, trying to fix this. I have disabled subscriber emails until we can be sure that emails will really be sent. Until then, please come back to Win10.guru on regular basis to check new content.

I want to use this opportunity to thank my Win10.guru partner Ed Tittel for holding the fort by taking care of new content, while saving the site has been my main focus. In fact it’s almost been a full-time job for the past month or so. Crazy!

Kari

P.S. This post was too long, just over 2,000 words. I got it down to 766 words simply by removing all obscenities, foul language, and swearing 😉

P.P.S. Additional screenshots, click to open enlarged in new tab:

GoDaddy Admin Panel:

Siteheck (https://sitecheck.sucuri.net):

 

Author: Kari Finn

A former Windows Insider MVP, Kari started in computing in the mid 80’s writing code for VAX / VMS systems. Since then, he’s worked in a variety of IT positions. He specializes in Windows image capture, customization, repair and deployment as well as Hyper-V virtualization. Kari is a proud Team Member at number #1 Windows site TenForums.com.

Leave a Reply

More Stories From Editorial