Georgia Rivers Network Hack Cleanup Success

Posted on October 27, 2011 by Jason Brennan

April Ingle had the following to say about SRI…

“We struggled for too long trying to figure out how to fix this problem. While searching yet again for a solution I stumbled upon SRI’s blog post. At that moment it was clear that rather than trying to fix this ourselves we needed to just call SRI and ask them if they could fix it and for how much. We were ecstatic with the price, speed, and expertise in which SRI was able to fix our problem. If anyone else ever finds themselves in this unfortunate predicament – call SRI – they’ll fix you up fast and for a really good price.”

Thank you,
April Ingle

 


We Recived a call from April Ingle – Executive Director of The Georgia River Network (GARivers) early on a Thursday afternoon. She simply said that the Georgia River Network site had been hacked months earlier and they needed help.

The SRI team took some time to look at the GArivers website and found what is known as a Conditional Hack, Pharma Hack or as Google calls it a Cloaking Hack. The hack does two things really well. It stays hidden and does whatever the hacker tells it to do. I know that sounds vague but it just means the hacker has options.

The hack on the GARivers site produced three main problems. It “diverted” the GARivers search traffic to an online pharmacy that was representing it self as if it were at garivers.org. Google then saw the site as hacked and produced a “warning” for potential visitors. The search results for the GARivers site also displayed advertisements for the online pharmacy products. All of this was happening while the site appeared to be intact and un-altered to anyone going directly to “garivers.org”.

The hacker on the other hand was trying to produce back-links and traffic to the site of their choice. The content that was being placed into the search results wasn’t “static” it was being produced by a php script that collected and delivered information from two different urls. We did go to each of those links and they displayed a simple message, “This account has been suspended.” As we dug deeper,  this turned out to be just a rouse to stay hidden. That hackers hid well, but upon adding “door.php” to the urls we found a blank page that had more than one purpose. It delivered the desired search content to Google, it collected visitor data, and it redirected visitors to any website the hacker may chose.

We also found a second back door left behind that was much more serious, was hidden much better and was much more complex. While the first script produced unwanted content and diverted traffic, the second actually gave the hackers full access to the server and it bypassed some of the servers built in security features. Once this tool is loaded onto a server any individual anywhere in the world could use it to access, change, delete or steal any piece of information on the server.

The first thing the script notifies the hacker of any possible security software that may be installed on the server. It was designed to stay hidden, all logging is turned off and any script the tool runs is encoded in one of 15 different ways. It has a built in SSH console, mysql and postgresql database browser, PHP Script tool, Safemode bypass tools, a bruteforce tool for ftp, mysql and postgresql. Needless to say this is a complex piece of “software” that does a lot for it’s user but it is the last thing you want on your server.

After cleaning, rebuilding and making the site live over the weekend we still had some work to do. Fixing the google search results was first on our list. So first thing Monday morning we set up an account for the Georgia river network on the Google Webmaster tools and submitted a new sitemap so Google could begin crawling the site again. We also sped up the Google crawl rate to help the site reindex just a little faster. Within 24 hours Google began crawling the site again and we started to see a dramatic drop in the amount of pharmacy search traffic GARivers was getting. We will continue to monitor user access on a daily basis to the the GARivers site just to ensure that the Georgi Rivers Network website is always available to the people of Georgia.

We are glad that April called and gave us the oportunity to help her and the Georgia River Network solve their problem in a matter of days. Less than a week after we started working with GARivers the hacked site is clean and Google no longer displays any warning messages. The Pharmacy adds have been removed from the search results and best of all site visitors are getting to the GARivers site not an online pharmacy.

Thank you April,
From the SRI Team
We are glad you gave us the oportunity to help!!

This entry was posted in Joomla. Bookmark the permalink.

Comments are closed.