Oh the angst, the shame & outrage expressed when a website hosted by the web host I use (Ashnet, via Cloudmaster) was referred to me late on Monday night this week. Why the anguish? Have you ever encountered one of these?
No big drama when simply encountered whilst surfing the web, just move on. However, when your phone rings & it’s the Internet calling to tell you that the Googles have put a bright red fuck-off page in front of your company e-commerce site, the drama level escalates substantially.
Now because I am a gentleman, I have chosen – at this point – to withhold the actual site name/url. Purely to save the owner from further public embarrassment.
This particular site, because it’s hosted by Ashnet, comes across my periphery occasionally. Without inspecting it closely, I’d been somewhat derogatory with my opinion – stating that I wasn’t too sure whether the coder was in first year of high school or the last of intermediate. Three words described it – ug, er, lee. Amongst a litany of errors, the basic HTML coding was obviously amateur –
Yes, the site was built by the monkeys in the back room at Ashnet, & they don’t know how to encode a simple link. A link to themselves, I might add. The Social Networking links there – none of them exist. They were coded to /# links. There was more, much more. More about the Social Network block later… & anyway, my job was to find & exterminate alien invaders, not repair kiddy code.
Now angst, embarrassment & concern this businessman may have had. Financial commitment to solving the crisis he did not. Initially I was offered $150 if I could fix the problem overnight. I know! It took him a full 24 hours to accept that for $150 (local currency too, $NZ, not $US) I’d take a look at it. I said I might (probably would) find the offending code placement & remove it but would not, for such a miserly fee, be attending to the vulnerability that enabled the injection. So removed it may be, coming back again it almost certainly would be. That bit went straight over his head – I think mainly because it defined the requirement for substantially more funding to solve his problem. (I suspect the real problem is a lack of comprehension of the power of the Internet as a business tool. This man views his site a necessary evil, from my observation.)
Google is all keen to help web surfers stay away from errant websites, but they’re decidedly reticent in telling site owners what the actual problem is. You’ll get an oblique, general statement that’s about as helpful as an umbrella in a hurricane. Here’s a mobile summary example:
Information-rich, detailed summary of the infection, how to find & remove it & steps to patch the vulnerability. Not. Thanks Goggle.
For the magnificent $150 initial investment, I decided that a manual code inspection would offer the best chance of identifying the offending code. Here’s part of what I found written into the header:
Which, if you know how to decode HTML, is a web address that had no business being there – ownsafety.o**/opp.php – I didn’t know what was on that page, the site is also Google blocked. So I Googled the address – sure enough, that’s a catcher page for the login details & credit card information of the blissfully unaware website shoppers on the no doubt multitude of sites infected by the same code.
So, as per my brief, I deleted that data-stealing code. That action though, you could compare to mopping the floor after heavy rain has poured in through a leaky roof. Sure, your floor’s dry now, but it’s going to rain again soon… But this guy is heavily budget-restricted & my time was up. I told him what I’d found, & also that I doubted it was the only problem, as Goggle was bitching about a malware injection, not data-harvesting.
The owner’s bleating changed tack, as I’d charged him $150 & his site was still blocked!! Oh noes! WTF do you expect? Don’t answer that, you’re not getting it anyway. The next conversation informed him of Stage 2, requiring a budget of $500, where I’d identify & remove all alien code from his website but still not correct the vulnerabilities that allowed the code to be planted in the first place. I also gently informed him of propagation, the time it takes for the alert warning removal to spread through the DNS network & caching servers across the web.
“How much! $500! But!!” “Listen, if you bought a cheap car & never serviced it, eventually something’s gonna go wrong with it which will cost you to repair. The longer you drive the car without repairing it, the more expensive the repair will be.” I left him for another 24 hour sweat session, knowing he absolutely needed my help & wasn’t going to find a better quote from a capable provider. Eventually, when he realised that I had no social compunction driving me to repair his mess for free, I got approval for $500.
Now the Goggles, they may be niggardly with infection information, but Goggles are not the whole internet. Thankfully are online utilities that can scan existing web properties for malware & other problems. My choice, the scanner at PCRisk.com does it fast & free, & drops an easy to read report on your screen.
Clicking Detailed report responds with a – again free, thank you PCRisk, 4-tab report that provides enough quality information to not quite pinpoint but certainly target your infection.
There it is, amongst the benign (& invalid) iFrame links, the cause of our Malware injection. S7.addthis.com – again, let the Googles be thy friend – the info is all there. Yup, S7.addthis.com is a known malware delivery point. Now, where is that code hidden?
It took longer than it should have to find the placement. I looked in .js files, in .css files & other such slightly obscure locations. Not that I needed to, for it had been quite deliberately written into the page itself by the Ashnet code monkeys, wrapping those useless Social Network links. Anybody interested to view the Twittering of this company would have gotten some free software too! Without actually being aware of it.
Cleaning was a breeze. Delete delete delete, then execute a SQL command removing any database reference to the string – which resulted in almost 2500 removals. A quick recheck verified that the infection was cleared – this time double-checked, courtesy of Attracta, the search engine optimisation company.
“But it’s still blocked!” “FFS, do you think I’m shitting you? Just wait for propagation, fuck ya.” My patience runs thin quickly when dealing with misers.
The real deal confirmation arrived by email
That email, readers, is Google surrendering. The fight is over, they’re saying. It’s not over, in all likelihood. There’s zero motivation from the site owner to patch his vulnerable code, he thinks he’ll just ride his luck. I wouldn’t bet on longevity being a feature of his website.
If you have security concerns over your website or any digital property, hit me up. As you can see above, the process is quick, efficient & cost-efficient. As always, when dealing with the intangible nature of software, it’s better to be safe than sorry.
PS: I am NOT the webmaster of the errant website. The addressing is Google’s assumption.