Website Copied/hacked

torqtorq

I noticed in my google analytics when examining page views that I had pages and directories that I was not responsible for. Examination of my hosting server showed that these files did not reside there.

After viewing one of these pages live on the web I realized how the "hacker" was doing this.


First the page that shows up on the web is like so

"http://www.mywebsite.com/hackersdirectory/hackerscopyofmyhomepage.html"



They then have added an extra line at the start of the <head> section of the copied html5 code as shown below.


<!DOCTYPE html>

<html lang="en">

<head>
<base href="http://mywebsite.com/&quot; /> *** this line added
</head>

The hacker then adds extra content and links within main body of the page.


My question - How can I prevent this and is there a way of finding the name of the website that my copied page is hosted at?

Actually, they have more than one variation of my home page.

Graham

This works more often than not:

http://www.whoishostingthis.com

Once you've done that, go and look into a DMCA takedown notice to send to their host.

torqtorq

Graham

Problem is I do not know the name of their website as the copied/hacked page shows up with my website address.

Graham

Have you tried googling for a piece of unique content from your site? Have you had a look through your weblogs, you might find they're hot linking images/scripts etc.

You might find your site hasn't been copied anywhere, have you had a word with your hosting company?

AnCatDubh

torqtorq wrote: »

First the page that shows up on the web is like so

"http://www.mywebsite.com/hackersdirectory/hackerscopyofmyhomepage.html&quot;

Sorry, if i'm slightly confused by your description, but is the folder [noparse]http://www.mywebsite.com/hackersdirectory/[/noparse] referred to above actually located on your hosted server, or somehow are you seeing this on a "not your hosted server/somewhere else"?

torqtorq

AnCatDubh wrote: »

Sorry, if i'm slightly confused by your description, but is the folder [noparse]http://www.mywebsite.com/hackersdirectory/[/noparse] referred to above actually located on your hosted server, or somehow are you seeing this on a "not your hosted server/somewhere else"?

The folder /hackersdirectory/ is not hosted on my hosted server. Neither is the file hackerscopyofmyhomepage.html.

This piece of code that the hacker has added to the head section of copied source from my home page cause the above directory to appear to be hosted on my site.

<base href="http://mywebsite.com/&quot; /> *** this line added

I am hoping that someone knows a way to "turn of" this piece of code, particularly as we are all vulnerable to this.

By the way. To check out what is happening here, I created a directory on another site of mine and copied across the homepage of my hacked site and give this page a new name. I then added the base redirect code from above.

I then opened this new page on the web which now appears to come from my original site. All done in under 5 minutes manually.

Graham

You cannot "turn off" a piece of code if it's being hosted on someone else's web server.

Did you check your web logs? Are there a particularly large number of referrers from a single source?

AnCatDubh

not certain I am correct but, are you sure you aren't just seeing redirected traffic to your site from the other individuals crude attempts at plagurising your site.

the base element allows anybody to specify any target for their uri(s)

so, a <base href="http://google.com/&quot; /> in the head

and a link in the body

<a href="howya.html">Hello</a>

will resolve to [noparse]http://google.com/howya.html[/noparse]

So someone clones your homepage, sticks some of their content in there, and in order to preserve links which are on your homepage, they stick in the base href element which saves them doing a find replace on all <a href=> tags on your homepage and/or they have something malicious going on that some of their links like pay now redirects to a full url of [noparse]http://paypal.com/blah.html[/noparse].

For example: the following will run from anywhere (try it on your desktop) and the click will go to google (albeit 404 out as they don't have howya.html on their site ).

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
	<title>untitled</title>
	<meta http-equiv="content-type" content="text/html;charset=utf-8" />
	<base href="http://google.com/" />
</head>

<body>
	<a href="howya.html">hello</a>
</body>

</html>

Thus unless i'm mistaken, what you see in your analytics is proper activity ie. someone on their site has clicked a link which has resolved to your site notching up a click hit. Those that have clicked on it may not be aware of the distinction, or what nasty stuff might be happening (if there is ill intent) on the home page that has been cloned.

but, with all of the above their homepage must be hosted somewhere else so you should have inbound traffic in your web logs which would give you the source of the fake site.

Where in your analytics report are you seeing the suspicious traffic?

I'm a little confused that google would stuff anything into your analytics logs other than what genuinely is coming from your site. ie. I shouldn't be able to copy/paste your google analytics code into my website and then send you all whatever traffic in your logs. Google have strict ownership proofs required prior to sending traffic into your analytics dashboard.

That'd be my understanding but apologies in advance if i've misunderstood the actual problem.

Otherwise, to answer your question if it is hosted somewhere else you won't be able to trun anything off. You'll need to figure where its hosted (inbound traffic from web logs should tell you), and contact their abuse email/phone and request a take down. If its worth it to them, the *hacker* then moves on to another host and it starts all over again. You could program your website to disallow traffic from other specified domains. If on apache for example you could "Deny from [noparse]www.hackersdomain.com[/noparse]" - but again, you need to get to the source of where the inbound traffic is coming from.

ressem

It might be worth checking for a modified .htaccess file on the root directory of your webhost in case it has been modified to redirect /hackersdirectory on your space to a third party site.
If it mentions hackersdirectory it's a giveaway, and you'll need to clean up the site in case of other hacks and backdoors, compromised passwords.


Most modern browsers (
IE Chrome Firefox with web developer) will have a console that you can bring up by pressing F12.

Bring up this subpanel.
Select the network tab. Browse to the hackers space, Press Ctrl-F6 to reload everything on the page.
The network tab on this panel will allow you to see from where each image and file has been downloaded.

torqtorq

Examined my .htaccess file and found these three lines at the bottom of file.

RewriteEngine on
RewriteRule ^is_working/$ ./new/superfish-1.4.8_menu/js/zilver.php?check_script=1
RewriteRule ^(snic)(.*)/(.*)\.html$ ./new/superfish-1.4.8_menu/js/zilver.php?name=$3&word=$2&indx=$1 [L]

I vaguely recall a web developer asking me to add this code a few years ago. He was doing a new design layout for my site which I never adopted. He did not have access to my site. The /new/superfish-1.4.8_menu directory also exists so I assume I added these under his instructions.

What intrigues me is that on the third line the word "snic" is always the first 4 letters of the hackers directory . Could anyone enlighten me whats going on?

Graham

If you're not using super fish, remove the directory and the rewrite rules (keep a local copy if you're really paranoid).

Once that's done, I'd imaging your 'hacker' will vanish.

Feathers

torqtorq wrote: »

Examined my .htaccess file and found these three lines at the bottom of file.

RewriteEngine on
RewriteRule ^is_working/$ ./new/superfish-1.4.8_menu/js/zilver.php?check_script=1
RewriteRule ^(snic)(.*)/(.*)\.html$ ./new/superfish-1.4.8_menu/js/zilver.php?name=$3&word=$2&indx=$1 [L]

I vaguely recall a web developer asking me to add this code a few years ago. He was doing a new design layout for my site which I never adopted. He did not have access to my site. The /new/superfish-1.4.8_menu directory also exists so I assume I added these under his instructions.

What intrigues me is that on the third line the word "snic" is always the first 4 letters of the hackers directory . Could anyone enlighten me whats going on?

It's rewriting what looks like a static URL starting in "snic" & passing what comes after to a PHP script as parameters. It's possible that if someone knows that is happening, they're trying to exploit the script for weaknesses. As said above, if you're not using it, remove it. Especially if toy don't know what it does.

Also, make sure your .htaccess file isn't publicly accessible.

torqtorq

Okay.

Just before I deleted the 3 lines of code in .htaccess, I created a new zilver.php file that just echo's a comment.

Typed in one of the original hacker addresses into browser and message is fired. Typed in a totally fabricated web page making sure that the directory started with "snic". Message again was fired.

Have now removed the 3 lines of code from .htaccess file. For good measure I have totally deleted directory that zilver.php file resided in.

If I now type in one of the apparent hacker webpages just get an 404 error page.

One question on .htaccess file access permissions. I am using webshell4 to gain access to my site and I noticed that all nine permissions are ticked. i.e All 3 Read, all 3 write and all 3 other. This sounds like a lot of access!