Why would a hacker bother to do this?

Topic

New Reply

Over the past couple of years (most recently this morning, after a long break following a change of password) some gang of hackers has been getting into one or two of the pages on my site and making some tiny changes – a little non-ascii character (most recently an Arabic letter, previously an unidentifiable character) appears at the top (before the html code starts) and a link to some commercial company (a different one each time) appears later on in the html code but does not actually appear on the page in the browser (you only see it in code view). In the most recent case I contacted the company to which the inserted link refers and asked them to investigate, but I doubt if they will succeed. (I tried to contact earlier ones, but got no reply)

The only reason that I picked up the change so quickly on this occasion is that I registered the pages with changedetection.com after the previous set of hack-changes.

It was a simple matter to reupload the page(s) in question and thus wipe out the “work” of the hacker. It is also a relatively simple matter to change the password yet again.

However, I just wonder why would someone go to the trouble of cracking a strong password (and it is strong) to get into my online folders in order to make such an insignificant and apparently pointless change to my site?
Has anyone else here experienced this?

Also: Is it possible for a hacker to do this sort of thing without knowing the password?

I’d like some insights into this puzzle.

(BTW I did ask my website space providers and they suggested I use sitelock.com, but sitelock does not protect from, or even warn of, such hackings – I know because I tried their system and they had to admit, after some time, that it wasn’t meant for that kind of thing, being more a scan for vulnerabilities, and they found no vulnerabilities!)

Reply | Quote

Replies

I would try using a more complex password…
Most people use passwords that are familiar to them and easy to remember which are easy to hack..

Also, the security on your host may be at fault too.

Reply | Quote

Hi Banyarola
As I say the password that I use is “strong” with caps, lowercase, numbers and other characters – I don’t even remember it myself, I let roboform do that
(I have lots of passwords and don’t need to remember any of them!)
Security on the part of the host is a possibility I suppose, but it hosts lots of important commercial sites, so I have to assume that such companies would have complained to them before now if it’s their laxness at fault.
But the question remains, why would a hacker even bother to do this? What does he stand to gain?
Kind regards
David

Reply | Quote

Well Dave, hackers just like to cause havoc…

Have a talk with your host and tell them and see what they say.

I suspect that it may not be hacking and maybe something your host is doing for some reason..

I have a website up for years and never had any problems..A t least none that I am aware of.

I’m just guessing about your problem and maybe there are others here that can give you a better answer.

Reply | Quote

Try this site to monitor pages http://watchthatpage.com/

Reply | Quote

Thanks. I’ll be offline for a while, but I’ll come back to this later next week.

Reply | Quote

Hi dwsolo,

being a system admin/programmer/web designer myself I would like to share my opinion:

Depending on the security of the environment that hosts your website, it is usually possible to use a known vulnerability.
CMSs are very complicated, and if not patched immediately after a bug is found, vulnerabilities exist.
Most commercial companies are not keen on patching, as the result needs to be tested in a Quality Assurance environment (and this takes time).
For Joomla for instance, I regularly receive security updates.
It all depends on the state-of-art level of the entire hosting environment, including the frontend where you install the (shared) server’s components.

As for your question on why:
I can imagine that people seek out legit pages that can be modified, and check that the changes remain undetected for some time.
Later, a trojan or botnet could then retrieve the page source, find the hidden reference, and therefore have a trail to a Command and Control (C&C) server.
You could check for instance, if the webpages that are referred to have not been altered too in a similar manner.
The changes before the html tags can be used as markers, to indicate that the page has been altered.

All this could be used to make detection of the C&C server much more difficult.

Kind regards,

Eelco

Reply | Quote

Thanks Eelco. Sounds possible. I’ll keep a watch. Presumably by clearing the unwanted links I have at least temporarily stymied the botnet. If it happens again, I’ll quote your ideas to my host and ask whether they can do something. It has to be said however, that the security scan made by sitelock did not reveal a vulnerability at the time of previous similar attacks, so I assume that your scanning company is more thorough or else that there was no vulnerability….
PS I have meanwhile spoken with the company whose website address was inserted into my page (they are a purveyor of shoddy goods it has to be said, according to google searches). They were not very forthcoming during chat but they promised to email me later about it. (A check on the html coding of their site does not reveal similar hacking)
Back on Sunday night, bye till then

Reply | Quote

You could copy your pages back in from a back up late at night – assuming your host allows scheduled tasks / cron. Then any changes will be removed automatically and you can relax with your favourite tipple, knowing you have a job well done.

cheers, Paul

Reply | Quote

My host suggests there may be a “backdoor” in an old script or html fragment. Given that my site has quite a lot of html fragments and scripts and backdoors can be very small amounts of code it seems a needle in a haystack job to find it. I’m keeping my eye on it. Indeed there was another hack this weekend which I removed by re-uploading in the manner Paul T suggests. (Needless to say the company to which the links went was different from last time and the links again didn’t work. Seems to be a war of attrition, either the hacker will give up or I’ll have to continue watching for changes and re-uploading each time. It’s so stupid and doesn’t do the hacker any good at all as far as I can work out.
(Regarding vulnerabilities I have done yet another scan and no vulnerabilities were found)

Reply | Quote

I found an old code in an html fragment in my site which happens no longer to work, so I removed it anyway. If anybody can identify a possible backdoor in this I’d be interested to know (zip file of text file enclosed). If so, then maybe I’ve solved the problem, but only time will tell….

I should mention that thumbplay (whose code it was) was getting very bad reports in WOT, so maybe hacking was one of the problems… I wonder. This may or may not also relate to the new version of thumbplay to which I no longer belong….

Reply | Quote

Could it relate to this?

Reply | Quote

Hi Rory
Interesting article, thanks.
Not sure if the (now removed) thumbplay code could have had a similar effect it includes “allowscriptaccess” in the code, but my knowledge is insufficient to know whether that could have been a back door. Anyway, all is clear of hacks at the moment… time will tell …

Reply | Quote

dwsolo,
Two weeks ago I had about 10 sites hacked. They were all on the same server, and none were CMS sites. Also, they all had different passwords.
What this hacker did to my sites was to hijack different words on each site and link them to other sites… for example, one site had the sentence “family owned and operated”. They hijacked the word “family” and linked it to a site selling family condos.
It was very easy for me to restore everything, but I determined that my hosting company was at fault because all the sites were different and they all had secure passwords. The only commonality was that they were all on the same server.
I alerted my hosting company and of course they told me it was all my fault, but I know flags went up and it has never happened since.

Reply | Quote

Hi Robert
That’s interesting. I have to say I questioned my hosting company too, especially in the most recent event. I wonder if they also had some “flags” to salute… Anyway, so far so good, there have not been any attacks for some time.
As a matter of interest were you able to identify the time when the hack(s) took place and thus maybe identify a suspect IP in the log? I tried that last time, but the logs didn’t seem to have any indication of access of the particular pages at the exact time that the hacks took place.

Reply | Quote