Go to ...

RSS Feed

August 11, 2020

War Stories – Fighting the hijackers


On Saturday, May 2nd, my virtual friend and fellow Finn Toni sent me an email with a screenshot showing Win10.guru on his mobile device. Automatic HTTP to HTTPS redirecting had somehow been disabled. Worse the only content visible on our home page was some strange ads in Japanese. As we pay for GoDaddy, our hosting provider, for all possible security measures, and I am the only person allowed to sign in to our site’s admin panel, with a  strong random password and Two-Factor authentication, this was both strange and bad news. Someone had injected our site with code that disabled HTTP to HTTPS redirection, so every user who entered the URL with just an HTTP prefix, or without any prefix, was redirected to pages showing ads. Notice that if you enter the URL with the HTTPS prefix, you were and will always be entering win10.guru securely, and correctly. Just remember this, not only with our site but also with other sites: always use the secure connection, in our case https://win10.guru.

All this said, here’s the screenshot Toni sent to me:

Somehow, if a user entered our URL without the HTTPS prefix, they were redirected to these strange ad pages, instead of redirecting to our secure HTTPS URL.

Then the battle began in earnest. Over the past ten days, I have done practically speaking nothing other than working with GoDaddy support, fixing and editing site settings, checking Google Webmaster Tools, and running tests on a backup copy of the site (the so-called staging site). The starting situation looked serious, as the following screenshots show.

First, our site admin panel showed this:

What made this extremely strange is that the weekly report I get emailed every Monday showed that we had no malware:

OK, working together with GoDaddy support, the cleaning operation started. On Wednesday, May 6th, everything looked OK. Then, only an hour after I had finally checked all file permissions and reset some, and edited the files that take care of  HTTP to HTTPS redirecting, Google Webmaster Tools gave me a new warning:

Notice that the URL shown in the warning is not an existing page on our site, we have never had a page like that. Going to check the site, I noticed that HTTP to HTTPS redirecting was again disabled:

Same results when checking the admin panel; an hour after I had deleted an all important file (.htaccess), and rewritten it correctly, it was again changed to one that allowed hijackers to redirect all HTTP traffic to their ad pages. As I mentioned earlier, HTTPS users have been OK all the time.

My fight continues, and I might not be able to post any new content until this has finally been fixed. Fortunately, it looks that it will be mostly fine tuning and securing the site even more, we are already free from malware:

One thing about GoDaddy I really must tell you geeks: we are quite a small customer for them. Yet, the amount of support I have had is incredible. Long days on the phone to them, emails back and forth, I am really satisfied. They are as confused as I am, with all necessary security measures in place, this should never happen.

One excellent example of the level of the support is that Sam, one support technician I’ve been in contact with, he even replied my emails on his day off. That’s dedication!

Stay tuned, I will update this story when I have something more to tell you. Remember: for the most secure experience, always use full our URL with the HTTPS prefix: https://win10.guru. Please: if you haven’t already, add this secure URL to your favorites or bookmarks and be sure to use it to access our site. Thanks!

Kari

Author: Kari Finn

A former Windows Insider MVP, Kari started in computing in the mid 80’s writing code for VAX / VMS systems. Since then, he’s worked in a variety of IT positions. He specializes in Windows image capture, customization, repair and deployment as well as Hyper-V virtualization. Kari is a proud Team Member at number #1 Windows site TenForums.com.

Leave a Reply

More Stories From Admin Tools