Over the last few years, I have used two different servers on which to host the various sites I have (or sub-host on behalf of others). It seems like some maliciously intended people have managed to get in to one of the servers (owned by a UK-based company, but maintained in the USA) and caused irrevocable damage.
Over the last few weeks, tens of thousands of spam emails have been generated via the server, and every single site (and indeed other folders on the server that were there for back-ups) has been affected: php-based files have been placed seemingly randomly in the folders; new folders created with over 2000 html pages pointing to obvious scam or to ‘financial services’; .htaccess files created or modified; invisible files and folders with no access permissions (and blocked from altering these even via ftp); and what I can only describe as ‘seed’ pages added (I’ll come back to that one in a short while).
As a result, I’ve already lost a few ‘customers’ (not that I mind that part, as I ‘charge’ minimally, and not something that is financially worth the effort even when things go ‘right’) – but more importantly it’s the good-will and personal support I have been able to provide various organisations and people in need that has been damaged through this wilful damage.
When one of the back-ups for one of the sites was re-instated (from some time back), it appears obvious that some of the damage (though only covert at that time, but through close observation of the site’s loading, clear) has also permeated at least some of the databases and some of the folders.
I have no choice but to totally delete everything on that server and start out afresh and clean for the sites thereon. Approximately half my own sites and half the sites I sub-host have therefore now to be re-created afresh. I do not even want to use any back-ups on the possibility of ‘seed’ php pages thereon.
The provider has suggested that the damage came through WordPress: perhaps this is so, though it does not explain ‘deep’ damage on most of the sites that are non-WordPress (though also php-based, such as Dupral, Joomla, bulletin board, and other ‘blog’-oriented php options). I suspect that what has happened is that a seed-php file was inserted some time back by an unknown means, and that this was able to obtain ‘complementary’ code that eventually, though at first perhaps very slowly, ‘grew’ to its intended result.
Why would this have occurred? To be frank, I doubt it was to generate the spam that flew virally from the server: it seems to me more likely to be an ‘experiment’ in successfully intruding into an area un-observed with a micro or ‘dna-like’ php file that would appear benign, and only over time grow to its effective ability to take control of the whole area. To target a more ‘minor’ (still very significant) provider’s server would be considered good ‘sand-box’ practice… and let’s face it, the spam generated would also mask its probable real intent.
For myself and the people whose sites I sub-host, this has certainly been a nightmare for which I simply have neither the skills nor the time to adequately address. For my host-provider, I’m certain it has been an equivalent nightmare for which they are likely to lose numerous existing and potential clients.
…but on with the ‘repair’ work and moving everything off that server!
Leave a Reply
You must be logged in to post a comment.