I feel so exploited!

by Kevin Godby

My website was compromised Saturday night and spent the better part of a day participating in some sort of link farm.

I’ve removed the offending files and am still auditing my site looking for more. I’ve also upgraded much of the software on the site in case the script kiddies weaseled their way in through some outdated PHP script.

In one day, my site has had more hits than it normally gets in a full month. If you found my site by clicking on a link that looked like http://kevin.godby.org/page.php?id=... then I apologize. The link you clicked on would have taken you to a site with a few hundred keywords, but no useful information. And to top it off, the site tries to install malware on your computer.

Some details on the exploit: The Russian and Ukrainian hackers uploaded the page.php file at 14:36:27 PST on November 1, 2008. The page.php file looks at the ID number at the end of the address and downloads a web page from a server in Germany. Once downloaded, the page is streamed to your browser (so it looks like I’m hosting the page). The page contains a litany of spammy keywords and a list of links pointing back to the page.php file on my site (with different ID values).

I’ve already emailed the technical contact for the block of Internet addresses used to host the spam and malware pages. I’m not sure if their server was also hacked or if they’re willingly hosting the link farm.

I’ve also contacted Dreamhost, my hosting provider, and provided them with details of the exploit. Unfortunately, my site was not the only one to fall victim. I wrote a small program to download pages with other ID numbers from the server in Germany, and they have links to other Dreamhost servers. Hopefully, Dreamhost can help everyone clean up their sites or shut down traffic to the server in Germany.