Lessons learned from a hacker.
My wife and I were just settling in for our week-long 10th anniversary trip in the Ozark mountains. We had a great week planned, with lots of hiking and site seeing, even a trip to an old car museum which I love to go to when we visit there. I woke up the morning after we arrived ready to get started, only to see that there was a voice mail on my phone from 6 a.m. It was Amin Motin, my helpdesk manager, informing me that a number of my sites had been hacked into...
As you may be aware of, three of my servers were hacked into last week, resulting in a number of my sites displaying the hacker's "look at what I can do" message as the home page. Fortunately no data was lost from any of the databases, and the sites were restored back to their proper working order within a matter of hours after I reported the issue to my server host.
It would appear that my computer got a keylogger-style virus installed on it, despite the fact that I only use a Mozilla browser (which I didn't think was targeted by such things, but apparently due to its popularity growth this is no longer the case). I often scan the "black hat" and "software cracks" forums for references to my own software so I can close any loopholes those guys find to try and rip off my software, and I can only imagine that the virus came from one of those sites. Shame on me for getting busy and not updating my virus protection software.
Well, long story short, I had these 3 server's open in a shell (SSH) window, and next thing you know the hacker was logging in and doing his thing.
The virus has since been removed, the servers restored to their normal working condition and all passwords changed.
This is not the kind of thing I wanted to deal with while I was away on my 10th anniversary with my wife, and it's certainly not the kind of thing she wanted me to have to deal with on such a special occasion. However, the matter was resolved within a few hours of my reporting it to my web host, which allowed my wife and I to enjoy the rest of our trip in peace. It could have been a whole lot worse, to say the least, had I not had such fantastic support from Amin, my customers and my web host.
I wanted to share with you the lessons I have learned from this incident in case they will help you.
1. Having strong passwords is not enough.
It doesn't matter how "unguessable" your password is if a keylogger gets installed on your computer and the hacker gets the password sent to him by the virus. It's also not enough to rely on your virus protection software, because a brand new virus may not be detected.
That's why I've had my host block all shell (SSH) and FTP access from all IP addresses except my own. So unless the hacker manages to break into the data center where my servers are, or breaks into my house and sits at my desk, even if he has the passwords it won't do him any good.
Since I never do any SSH work away from home, this works just fine. But even if I did need to access the server via SSH from somewhere else, I can always log a ticket with my web host to get the IP address temporarily added to the "allow" list.
2. Having loyal customers is a beautiful thing.
Within an hour of the hack, there were a dozen emails sitting in my inbox from customers and colleagues informing me of the issue and offering to do whatever they could to help. Within two hours there were two dozen emails.
I can't even being to describe how good it made me feel to know that my customers and associates all have my back, and were willing to go the extra mile to help me resolve the problem if they could do anything to help. That really lets me know that I'm running this business the way I should.
Thanks to everyone who alerted me and offered to help. It is VERY much appreciated.
3. Having a responsive host is vital!
It wouldn't matter much if I knew about the hack while out of town if my web host was slow in responding. That certainly was not the case! Within a few hours of my notifying my host, they had the problem cleaned up and everything set right.
I was informed later that two of their top-tier systems administrators were set on the task. It wasn't long before they knew exactly how the hack occurred, what to do to close the hole, and how to tighten security to prevent any such incidents in the future.
I always knew that my web host's service was top notch, but you REALLY know you're in good hands when something like this happens and they're on the ball. I am SO glad I switched hosts a couple of years ago. My previous host was incredibly slow to respond no matter how urgent the matter.
In case you're wondering, my server host is:
I cannot recommend their services highly enough. Their response time even on trivial issues is incredible, and when it really matters, they're on top of things in a flash.
Disaster Averted
The situation certainly could have been a lot worse than it was. I cringe to think how things would have gone had I still been with my old web host (which shall remain nameless -- but it was a BIG host, which you think would have great support, but didn't). I could have been stressing it out all week long waiting for things to get corrected IF I had even known about what happened. I might have been obliviously hiking through the mountains while a dozen of my sites were down for a week. Just thinking about that grows gray hairs on my head!
But things didn't work that way. Everything was set right the day I reported it to my fantastic host, thanks to being informed by Amin and my customers and associates. Because all of the links in the chain were strong, disaster was averted, and the security of my servers are now far stronger than they were before.
I have certainly learned a lot from this situation, but the biggest lesson can be summed up in these smile-evoking words: I'm in good hands.
Please post your thoughts and questions in a comment below.
Enjoy this article?
September 9th, 2010 - 18:04
where did u obtain this knowledge
September 7th, 2010 - 07:01
Good advice it pays to be a bit more wary nowadays,I’m glad no permanent damage was done!
September 2nd, 2010 - 18:59
I “lost” my PC through some of these morons (because I didn’t realise what had happened).
But what I wanted to say was that when I was reinstalling all my software onto the new machine Joanthan’s was the most straightforward to get up and running again, so thanks for that.
And I’ve made MUCH better notes on how to rebuild everything this time…..
August 2nd, 2010 - 03:20
Nice one. Hackers can also give good ideas.
July 21st, 2010 - 19:38
I, envy you. Your blog is much better under the maintenance and design than mine. Who to you the design did?
July 8th, 2010 - 00:06
Thats scary stuff!
Why would anybody do something like that. Thanks for sharing your experience here Jonathan and making us all aware of the dangers lurking out there. It’g good to hear that you weren’t too badly affected.
June 26th, 2010 - 22:50
First congrats on your 10th and kudos for taking your wife away from it all to celebrate!
I’ve been a fan of your articles and products for along time now, and as one of the co-founders of Trust Guard (a website security scanning service) I can tell you that there are literally thousands of sites hacked everyday, so this is an important message to get out.
It may interest you and your readers that we scan a lot of websites and over 73% of them fail their first vulnerability scan, regardless of where they are hosted, big and small companies alike. That’s a lot of surprised site owners, and it’s really a scary number for owners and consumers when you think about it.
If your interested we would love to have you test our service and report about it. I believe our daily scanning combined with the suggestions you have above could save website owners a lot of headaches, lost time and money.
Thanks again Jon!
Regards,
Dave
June 24th, 2010 - 22:11
It really is hard to stop hackers these days. I have several niche website that were attacked by a hacker, and it took me and my team several days in order to get things back to normal.
I hope that all is well now, and maybe the little jerk that did this will get what he has coming.
June 24th, 2010 - 14:17
My goodness if having to memorize passwords like @$@VDA#$%$ is not enough, I don’t really know what to do next. You’re right about the responsive host thing though
June 22nd, 2010 - 14:32
Sorry to hear about this Jon, it’s a right pain in the ass and always comes at the wrong time, we had a spate of it with 3 sites on Godaddy a little while ago (I know, I know) and cant help but contrast the difference in service between them and your host.
They were actually hacked 3 times in 2 weeks, after first full repair before we could even move them the hackers were back, despite super-turbo securitizing them all after the first breach.
All Godaddy seemed to want to do was blame WordPress, and on reporting a hack you just get a standard letter back advising you that its your fault for not updating your version of WP (even if the site affected wasn’t on WP
and your responsibility to sort it out.
(ie dont bother them with your problems)
This was clearly a Godaddy issue because of the amount and variety of different sites done, the only common denominator was their host.
anyway glad they didnt ruin your weekend, and well done making it 10 years
June 17th, 2010 - 06:21
u mentioned u surf blackhat and warez crack forums. risky to do so without browser/operating system (os) protection.
to protect browser, install sandboxie sandbox program (www.sandboxie.com). that way any malware that gets accidentally downloaded eg drive-by malware download, etc 100% eradicated on your sandboxed browser is closed.
for further protection ie overall os protection, use returnil virtual system (www.returnilvirtualsystem.com).
another way is to use virtualisation programs like vmware (www.vmware.com), virtual box (www.virtualbox.org), etc when surfing malware-infested warez/cracks/serialz sites.
June 16th, 2010 - 21:57
So glad to hear that everything worked out with your sites and that you made it home safely. When I heard about the campers being swept away by the flash floods, I was praying that you were not at those camp grounds!
It seems that as much as we try to protect ourselves against these hackers, the smarter they get. It is a never ending cat and mouse game.
@ Andy-I quit using AVG after 2 hard drives getting fried by viruses. I now use Avast (recommended by my tech) and it has caught thinks that most anti-virus programs, including Norton, don’t catch. It alerted me when one of my blogs got hacked
June 16th, 2010 - 19:59
I am often surprised by how much amazing software is available for Mac at reasonable prices, even. So if there is something you need that isn’t available, why not write it? I worked on thousands of PCs for years at AT&T. Six years after retiring, and getting rid of my fourth disposable HP pc, I went Mac. The amount of time saved just in Windows maintenance is remarkable. I’m reminded every week when I start Parallels and have to spend ten minutes waiting for updates before I can do any work.
So why do I have Parallels? The Mac version of Quicken would not convert my files dating back three releases.
It would sure be nice if you made software that would work on our Macs!
Terry
June 16th, 2010 - 14:10
Wow Jonathan, that is quite an ordeal. I guess none of us think about something bad like this happening because it hasnt happened to us yet.
But as we grow our businesses and our Brand we really need to be pro active because these hackers are ruthless in who they target !!
June 16th, 2010 - 09:48
I’m glad your website get back to normal within 1 day. I was very shock when I saw the “You have been hacked” and I thought I have clicked the wrong sites.
Anyway, regarding the hosting wise…I still prefer hostgator for me
Regards,
Winson Yeung
June 15th, 2010 - 03:47
Too bad this happened at such an inconvenient time.
My AV software (Avast) seems to update it’s database everyday, just shows the threat level out there.
Andy
June 14th, 2010 - 23:12
“For mozilla users there is a plugin called keyscrambler which is pretty good as for as keylogging goes.”
I just installed Keyword Scambler, and so far, it is pretty good. When you type in information to any site or browser a box appears and shows what the encyrpted keystrokes look like. Seems to be a simple, and hopefully an effective program..
Robert C – The Wholesale Products Guy
June 14th, 2010 - 20:58
Hi Jon,
The first thing I was thinking that day was: Oh, no, Jon’s second honeymoon will be destroyed by that lowlife! And I am glad it didn’t .
Now, somebody here mentioned RoboForm, which I am using. I am, too, curious about your thoughts about it?
Anna
June 14th, 2010 - 20:51
Hi Jon,
Glad to hear that everything was cleared up. Hope this foolishness did not put a damper on your vacation. I’m new to internet marketing and this is the first time I have heard an in depth story about hacking peoples’ sites. I am far from being the technical type, however, after reading what happened to you, I’m very much interested in learning more, and how to protect my websites. Thanks for sharing Jon. I’d also like to thank the folks that commented about their experiences with hacking. You have all been very helpful to me.
God bless
June 14th, 2010 - 19:34
I wish I could say the same thing. This happened to me last week and it took my host 3 days to respond and only because I threatened them the third time to pull everything from them. In the meantime, one of my sites is totally %$%^%$# and I have to upload everything from scratch and not only that a few of my clients sites have been infected too which to me is more embarrassing than anything. I’m going to be changing asap to a new host and I might just try the guys you are with.
thanks for this info, but for me, it came a little late….but better than never that’s for sure
Chees
andrew b.
June 14th, 2010 - 19:17
Thanks Jonathan for this information. I use Mozilla Firefox also because I thought most hackers, focused on writing for Internet Explorer. I will be turning off the SSH and FTP setting also.
Very helpful post…
June 14th, 2010 - 18:13
Jon, after nearly 10 years of having websites on line – it happened to me, too. My main portal page was hacked – couldn’t get to any of the many connected pages. Makes a person feel as if they’ve been violated. My Host came through, too, and got me back in business in about an hour after contacting their tech support around 11 PM EST. I can’t say enough good stuff about GoDaddy support
June 14th, 2010 - 16:44
Hey Jonathan,
Looks like they may be on one of your lists and waited until you went on vacation. I’m going to rethink my hosting provider.
Michael
June 14th, 2010 - 15:59
Good post, loved the tip, just curious if your old host were the initials HG..i ask bc thats who i use and had some DOS attacks but would take them 4-6 hours to reply back and fix the issue and one time i was down for 58 hours.
June 14th, 2010 - 15:42
Hi Jon
I’m glad it all worked out ok for you.
After years spent trouble-shooting in a large manufacturing industry, both software and mechanical faults, the question I’d ask myself is; who knew you were going on holiday? I don’t believe much in coincidence, so I’d guess your hacker timed his attack for when he knew/hoped/thought you’d be unable to deal with it.
Fortunately, your team and your systems were on the ball.
Best regards from New Zealand
Stephen
PS Happy Anniversary
June 14th, 2010 - 15:26
Ah…people…they shock you, they astound you and when the chips (or sites) are down they humble you. But having read a few posts one can tell why you might attract such a loyal following.
June 14th, 2010 - 14:40
Jon,
Everything else has been said, so I’ll confine myself to the great help desk service provided by Amin.
I was pretty frustrated in not being able to get my TBS problem straightened out and had already had a ticket in before the hack. When I did get through to Amin, he was absolutely great in explaining things and getting my problem solved…even though he was up to his ears in dealing with the issues. His patience and quick responses were very appreciated.
I just thought you’d like to know. Having some like Amin covering your back on service issues has got to be a great feeling.
Sincerely,
Steve Benedict
June 14th, 2010 - 14:09
Hi Jonathan
Thanks for this blog. I am a subscriber to your Answer Analyst. I tried to connect to Answer Analyst and saw a strange message something like-this site is hacked and it asked to do something.I got frightened and shut down my computer. Thanks for clearing the matter.
June 14th, 2010 - 13:34
Good to have you back!
Great tips for preventing any hacking on our own servers, will follow the advice
.
June 14th, 2010 - 12:39
We should always use a strong password to protect our online privacy. However, I don’t take any risk. I simply go to aafter.com and ask for a stronger password by typing password: in the AAfter’s search box and pressing enter.
June 14th, 2010 - 12:17
Hi Jon,
Certainly a good lesson to learn from.
I’ve had websites hacked myself and fortunately had them back due to great host support, but I didn’t know how this hacking business worked.
Having IP access blocked is a great tip and I thank you for it.
Finally, having loyal customers and subscribers is a result of a honest business management and real care for them. I strongly believe this is the way to go.
Have a nice rest of your vacation!
June 14th, 2010 - 12:07
Glad everything worked out. I saw a posting about the hacking on the Warriors Forum, and the first thing I thought was that you’d just left for your vacation. Weird how these things seem to happen that way. I’ve had two client sites hacked, and both times it was while I was away.
Anyway, thanks for the heads up, and the prompt response, even on your vacation. Glad you still had a good time.
-e
June 14th, 2010 - 12:06
Hi Jonathan,
Well, we are certainly glad everything is back in order. Here at Harbor Financial, we were hoping you had a good back up system and you have not disappointed us.
Sorry to hear this hit while you were on your anniversary vacation. We can all learn from the lessons and become stronger in the future.
Thanks for sharing with us!
Alexandria
June 14th, 2010 - 11:33
Great post and glad you were able to get everything resolved so quickly. Thanks for sharing your experience and the lessons learned, Also appreciate the comments and info shared by your visitors / clients.
Very helpful and informative,
June 14th, 2010 - 11:23
Hi Jonathon,
If you are going to visit some of the black hat (grey hat) sites, try using the program called Sandboxie to protect yourself. Sandboxie will prevent anything and everything from installing itself via your web browser or email program. Basically, after you finish browsing and close the Sandbox, all is cleaned up without a trace.
Keith
June 14th, 2010 - 10:37
I’m sure glad that things turned out well for you.
Things like that happen and you just have to be ready to roll with the punch. Which you did a good job doing.
I’m glad you have a good support team with people that work with you and for you and friends and customers that you can trust.
The best to you.
w.
June 14th, 2010 - 10:21
The sun is obviously shining on you, and so it should…..
June 14th, 2010 - 10:18
I can attest to the benefits of a resposive host, or rather the drawbacks of one who is not. It sucks and I would not wish that kind of service on anyone. But, it does teach you a lot.
June 14th, 2010 - 10:11
For mozilla users there is a plugin called keyscrambler which is pretty good as for as keylogging goes.
Use of an effective anti virus – trojan software will be money well spent. I use AVG paid version which is a virus and internet security software in one.
Another one I use is trackseraser. This is money well spent.
June 14th, 2010 - 09:46
Like Steve mentioned in an earlier comment here, 1WayLinks was infected far into the week and trying to install a virus on to visitors’ computers. I don’t see any mention of this here.
So is 1waylinks all clear now? After all Jon’s sites were back up I tried to visit 1WL. When I clicked on the login button it immediately tried to download and trigger a virus (which my anti-virus blocked, thankfully). I read about others having this problem on the Warrior Forum.
This happened a day or more after all the sites were back up and I don’t see any mention of it here, so I guess I’d just like some assurance 1WL is clean and okay to visit again.
June 14th, 2010 - 09:44
Maybe I missed it, but how did you know it was a Keyboard Logger virus, and how did you get it and get rid of it?
What are you using now to help you prevent from getting one in the future? I know there are a number of KL detection software programs out there. Just wondering if you installed one on your computer.
Thanks for the post….
Robert C – The Wholesale Products Guy
June 14th, 2010 - 09:27
Sounds like you got hit by the Sinowal virus. It uses old versions of Java to install itself and transmit passwords to hackers via a backdoor it creates. Believe it or not, Windows Security Essentials (free) catches and deletes it.
This happened to me 2 weeks ago so I’m familiar with the drama.
Keep all the following up to date…
Windows
Java
Firefox
Virus Software
…and you’ll be ok. The latest Java auto updates itself (finally).
June 14th, 2010 - 09:24
You can never be too cautious enough these days. This incident demonstrate how important customer service and tech support responsiveness are very crucial to any web hosting company.
Most people will recommend a web host based on how long the list of features that company offers as part of their service package.
I have always told people while it’s beneficial to have all those features, the true value of your web hosting company reveals itself when a problem occurs on your website and you need their immediate assistance.
June 14th, 2010 - 09:08
As computer support professional who has fought many a virus/malware attack, I feel your pain. I’m hoping that keylogger didn’t get anything else from you!
One of my sites was hacked once (due to a permissions problem), and it’s not a fun feeling. It almost always happens at the least convenient time too. That’s just one reason I’m glad that my most important sites are on a host that I would say is almost unhackable.
June 14th, 2010 - 09:04
You might look at the program KeyScrambler. It encrypts the keystrokes in the driver and decrypts for the program so key loggers see scrambled data. Don’t know that would have stopped it but worth a try. Just google it and you’ll find it.
Glad to see everything is back!
Rick
June 14th, 2010 - 08:57
First off – Happy Anniversary!!!
That’s a pretty scary scenario. If it can happen to someone like you with all your resources it can happen to anyone. Glad to hear you had no long term adverse affects.
What do you use for data backup? Someone told me to install WP Database Backup plugin.
Marc
June 14th, 2010 - 08:38
Glad everything is settled. These hackers are always one step or maybe two steps ahead of the technology.
You are so true, even with a powerful password, with a keylogger on your computer nobody is spared.
Anyways, belated anniversary.
June 14th, 2010 - 08:32
great advice, I can remember when it happened to my site. its good that you didnt lose any vital data. also brings up the question that we need to backup our data all the time.
June 14th, 2010 - 08:27
Hi Jon,
I am a customer of yours for many of your software. I am glad you are back to normal with your systems and be able to continue with your trip without to much delay and upset.
You stated:
“That’s why I’ve had my host block all shell (SSH) and FTP access from all IP addresses except my own. So unless the hacker manages to break into the data center where my servers are, or breaks into my house and sits at my desk, even if he has the passwords it won’t do him any good.”
I don’t understand much of this and would appreciate it if you could write a post on that subject for us “Newbies”. With this knowledge we would be better prepared by taking the necessary steps.
Take Care.
June 14th, 2010 - 08:26
I love hearing how people, especially the ones we see on the net a lot, are handling problems and getting them solved! Good going!
Jan Tincher
June 14th, 2010 - 08:24
Oh forgot , also make sure you check to make sure you have no 777 permissions set on files on your host that’s how it starts. My host told me 777 was wide open and I thought back , I had just installed a script that had the 777 on a few files and I missed it.
Beware of that one. The hacks will sell script cheap and unbeknownst to you wait until you upload them and then they go to work on you.
Hate hacks. Hate em!
June 14th, 2010 - 08:21
Hey Jonathan
Glad you got everything sorted out.
I did notice fairly quickly that the sites were up and working.
I had the misfortune of 2 of my sites hacked and one of them had a virus installed and Google delisted it with one of those Big Red Flags that prevented people from going to my site.
Even after it was all cleared I never did get Google to re list itI ended up dumping that site.
Great news that you enjoyed your holidays.
Hamant
June 14th, 2010 - 08:16
Hi Jon sorry to here what happened. The same thing happen to me 2 weeks ago. I should have known something was up when I seen an ip from russia making a stop on one of my site.
Not casting dispersions but my host was able to run some script to arrest the problem.
Yes setting up only your ip range is key. Changing passwords is good.
Also plain ole checking you host for date/time changes. Time consuming I know but I’ve instituted that one to my morning duties. Takes 5 mins at the most.
Thought about you and your family when I got the news of weather conditions in Arkansas over the weekend.
My condolences go out to the families of the victims.
Take care
June 14th, 2010 - 07:53
Hi Jon
There have been some good suggestions on how to protect yourself.
Maybe I can add a little more.
If you have to do research on shady sites, it might be a good idea to use the free vmware player with a mozilla browser appliance (http://www.vmware.com/appliances/directory/80) Even if a virus (possible, but very improbable) gets onto that virtual system, you are still save if you use that system only for research and your physical computer for “real work”.
Another idea to further secure your ssh connections is the use of port knocking daemons (http://www.portknocking.org/view/implementations). This opens the ssh port only to IP adresses from which a secret knocking sequence was detected.
Mike
June 14th, 2010 - 07:49
I was unaware of shell (SSH). Not being too techie I have just never heard of it. Thanks for the advice. I wonder if there is anything else I need to be doing to protect myself. Time to switch hosts. Thanks Jon.
June 14th, 2010 - 07:32
Jon
As an admirer of your work ethic, I had no doubt that you would have a stellar support team and hosting company. Thank you for sharing your lessons learned.
Thanks also for sharing your web host with us, it means a lot to those just starting out to become the next internet success.
Apart from your business being intact, I am also glad to hear that your anniversary celebrations, for the most part, continued as planned.
Leona
June 14th, 2010 - 07:26
You were not the only one that was worried. My main assistant called me at 9 in the morning to tell me about the hack. At first I thought she had made a mistake. But then I seen it for myself.
Scary!!!
June 14th, 2010 - 07:18
Ah, unlucky I guess, but good job getting everything sorted. I guess I’m lucky I have dedicated servers, as the person above me seems to be on shared hosting only.
June 14th, 2010 - 06:36
Hi Jon,
Thanks for the very important information. Based on the info in your blog, I immediately called my GoDaddy hosting company this morning. Unless I am mistaken, blocking all shell and FTP access applies only to dedicated hosting. Since I have unlimited “shared” hosting, there doesn’t seem to be a way to further prevent hackers from gaining access to my server.
If I am incorrect, I sure would like to hear from someone exactly what I can do to tighten up the security on my hosting. Are there other hosting companies that provide shared hosting that is more “secure” than GoDaddy’s hosting?
June 14th, 2010 - 06:32
Thanks Jon, Your experience is entirely new to me and I’m sorry that you had to go through it, however I’m sure that most will agree that you’ve helped the rest of us in avoiding the low life scoundrels. Thanks
June 14th, 2010 - 06:29
Jonathan,
Great to hear you were able to resolve the issue within such a short time. Cheers to your server host.
I had a similar experience a couple of times in the recent past and my server hosts–Hostgator did a wonderful job by removing the virus within a short period both the times.
Thanks to such companies who run their business the way we expect them to.
Thanks for sharing your experience.
June 14th, 2010 - 05:32
I’m sad for what happened Jonathan.
Having the website hacked is a bad thing, and I’m really scared about it.
I’m trying to do automated backups, but I’m not sure to be able to protect my websites at best.
I work only on WordPress, with tens of blogs.
Mostly fundamental in my business.
I will try to search how to permit to only 1 IP to access adminn files, so I can only insert the IPs I’m using right now.
I’m happy to know that problem was solved, you were lucky and prepared.
But sometimes, a good hosting can be 50% of the entire solution.
Also I had moved my websites on a new little and cute hosting, where I have a great full time support and many other things, for a little price.
Thanks Jonathan, keep up the good work with your useful software.
See you,
Alessandro Z
June 14th, 2010 - 05:31
Hi Jon,
Glad to see you back and have all the problems settle.
We were worried about you over e1kad, I am glad you’ve got everything under control
Happy anniversary to both of you.
Hendra
June 14th, 2010 - 05:17
Glad to see that you have your system back up and running, nothing more aggravating than someone slipping in and destroying your system setup.
June 14th, 2010 - 05:16
I just checked Alexa.com, and realized that this post is the one of the hottest topic and URL for the day. And I am aroused by the title, so I visited and this is a nightmare to anyone of us. Thank you for sharing your tips and lesson learnt from being hacked. I shall follow your suggestions.
June 14th, 2010 - 05:14
I was very surprised when I tried to login to 3way and saw the hacker page. I support all those who dispise hackers, they have less to do in life than the working person
June 14th, 2010 - 04:50
Loyalty is a fabulous trait that is deserved of anyone who strives to help others. Great to read your post Jonathan. This is the sort of loyalty that should be hailed more often so we can focus more on the positive aspects of this amazing time on the net.
June 14th, 2010 - 04:43
Hi Jonathan,
I’m glad to know you are back up and running!
In my experience keyloggers can be stopped by using a good password protection system such as roboform.
I do recommend it as it work as copy and paste “blocks of bytes”
so that makes impossible for the keyloggers to “see” what your password is, you are not typing at all!
As an IT Professional I strongly recommend it!
anyone can get a free version and see the benefits for free.
One very important fact: games can be used as trojan horses (keyloggers), like the ones you play in social media sites, so get protected before is too late, using a professional tested tool is the way to go.
Hope this tip help everyone.
Regards
Luis
June 14th, 2010 - 04:43
You raise some good points Jonathan and to add:-
- As already stated, your support desk was on the same server. I also wanted to contact you but couldn’t.
- Most broadband providers only offer dynamic IP addresses which means each time you log in you get a different one. That’s usually a good thing but is an obvious issue when you’re trying to block access by IP address. Yes, you can nominate a static IP with most providers but if that is hacked then you’re back to square one and as you had a keylogger attack that could just as easily have lead to an attack via your own machine if it was left on.
- Site templates are a big source of hack attacks. My worst hacking occurred when the template developers concerned – who shall remain nameless as they’re a major supplier (Joomla not WordPress) – left their access codes in the finished product. I only found out what was happening when I suddenly started appearing in Google for phrases that I didn’t know were even physically possible! Unofficial template downloads are known to be an even bigger problem.
- Looking at my various server logs I see that attempted root hacks occur hundreds, sometimes thousands, of times a day. Site and server hacking is a continuous menace, not just the odd one-off.
- Keeping recent backups and constant site monitoring are the only surefire ways of getting out of the problem once it’s occurred.
June 14th, 2010 - 04:18
Hey Jon,
It’s nice to see that you’re on top of these problems. It’s certainly not a pleasant experience when you are away on a vacation and something like this pops out.
Keep more good stuff coming.
Best!
Welly Mulia
June 14th, 2010 - 04:16
Jonathan,
Thanks for sharing. I was surprised when I first saw the hacked site. Never thought I’d experience seeing an actual “hack”. I’m glad you were able to resolve it as you mentioned in your post.
I’m curious about the keylogging. I have a QWERTY keyboard but I use a Dvorak input. To see the difference here’s an example: when I hit the ‘v’ on my QWERTY it types ‘k’. Don’t know if this would ‘disguise’ your typing/keylogging. Anyhow, I love Dvorak keyboard typing input.
And on a final happy note, wishing you and your wife a wonderful 10th anniversary.
Aloha,
Ken
June 14th, 2010 - 03:44
The timing was just awful for you Jon, so glad it did not drag on the whole week for you!
From a customer point of view, I was upset, thought I had lost the use of my favourite tools for a week or so until you got back home to sort it out!
Also I was dreading what the hackers may have been hosting on 1waylinks!
June 14th, 2010 - 03:09
About the worst thing that can happen: hacked when on an anniversary trip. You are lucky to have such a good web host.
Anti hacker checklist:
* Use up to date anti virus software
* Have a great web host that solves your problems
* Have recent backups of your sites
* Monitor your sites so you know when you are hacked.
* Never click “Yes” before you have read the message
* Update your scripts (like WordPress) to the latest version
* Don’t visit shady sites, especially those ending in .ru
Not that I have time to keep up with all of that myself. It’s enough work just to build a business.
I’ve been hacked once but luckily they just inserted some harmless ad code that I was able to clean out. The parser they used wasn’t so good though and destroyed a coupe of the pages it modified, glad I had backups.
Simon
June 14th, 2010 - 03:04
I’m glad you shared your experience with us so we can all protect ourselves. Also glad you were able to avert any serious damage done.
You are one of the few good guys online. We need people like you to stick around.
June 14th, 2010 - 02:45
It wasn’t just a keylogger, when I visited the 1waylinks site on Wednesday/Thursday it infected me with a virus that managed to get all the passwords and details stored in SmartFTP, then all my sites were hacked too.
Are your sites clean now? I daren’t visit them again in case I get reinfected.
June 14th, 2010 - 02:44
glad you are ok after that. Nothing worse. My hosting company has for a while only allowed access from a specific IP address. Very safe way to be. Also remember your backups.
Shaun.
June 14th, 2010 - 02:27
John, Yeah sucks getting hacked. I feel for you mate.
Closing off ssh from your ip is a good idea, but again if they have a keylogger on your machine, then from that ip you are back to square one again.
1. Use a private key as Matt has suggested
2. Move your SSH port from port 22 to a different port
3. enable ssl on your ssh sessions.
If you can afford it, also connect using VPN.
Also…..Never root connect to your servers via cafe wifi or unknown wifi connections no matter how tempting it may be, this includes if you are using cpanel or WHM as details of your session are generally visible to any packet sniffers.
June 14th, 2010 - 02:20
I found out about your problems through an email from Amin and I felt bad about you and your wife getting your vacation spoiled so I’m glad it was for less than a day only … but I was 3 days behind on that news because I had my own big problem … a complete wipe out of HD and motherboard … and no backup! So I don’t need to tell you that I was embarrassed besides being crushed.
My occasional computer guy put me in a reconditionned desktop
with more GB than I had before and a one year subscription with
Carbonite, a backup service.
I still had my websites of course and a good system of saved info in folders in two webmail services, gmail and comcast … and
was able to get some of my programs replaced by helpful webmasters.
I waited until you were back from your vacation Jon to ask for a
replacement copy of TBS … I will put in a support ticket.
And life goes on … there are worst catastrophes happening every
moment of every day all over the world!
Fran
June 14th, 2010 - 02:17
Hi Jon,
Sorry to learn of the tragedy while you were out enjoying your anniversary. I am also grateful that the problem was resolved immediately and everything is back to normal.
I had a similar situation in February when my Article Directory was hacked. Unfortunately the who scrip was affected but the servers were intact. Thanks to my hosting company( http://www.lifeonthenet7.com/H4P.html ) to clean up the mess.
Hope these guys will one day receive what they deserve
Stay blessed!
June 14th, 2010 - 02:07
Thanks for that precautionary tale. Isn’t it always the way that stuff like this happens at the most unopportune times!
Regards,
Ella.
June 14th, 2010 - 02:07
If you’re doing anything from the command line with ssh, then you’ll want to look into ssh-agent (I think you can do this on Windows as well) this method of ssh access will use a private key on your local computer and won’t require to you to type your password.
Therefore, a key logger would be ineffective. Something to look into.
June 14th, 2010 - 02:06
Nice to meet you, Jonathan. I came across this article and poked around your site reading a few posts. I thought, now here’s a guy with some sense, who doesn’t spout a lot of the baloney I’ve heard out there from IM people.
I clicked on your link, …G…is a lie, to see what it was about, and found myself chuckling as I read your list of myths. Of course, but the fact is many people think differently – better for you and me.
Finally I got around to noticing that you put out TBS and I had to laugh out loud at myself. I just joined up a few weeks ago, via Areeb. I haven’t used it extensively yet, but I’ve given TBS a couple of trial runs and reckon it’s probably a keeper. Thanks, mate
June 14th, 2010 - 01:59
Hi Jonathan,
My respect to you and your work on restoring services. I’ve been your customer for almost a year and from all the services I’ve used I value yours the most. You’ve got a lifetime customer.
Max
June 14th, 2010 - 01:55
Thanks Jon for sharing your experience. Thank God the damage was averted and you had a peaceful anniversary.
June 14th, 2010 - 01:51
isn’t the problem caused by having to type your login details every time and if so isn’t a login software like Roboform part of the solution?
June 14th, 2010 - 01:42
It amazes me that people actually devote so much time to doing this type of stuff.
June 14th, 2010 - 01:34
Thanks god you’re back online quickly, and thanks to the backups we have on those servers. Hackers cost us millions of dollars just to cleanp their act on website. better change those password and check your computer for any keylogger software install.
June 14th, 2010 - 01:25
I must say I was surprised when trying to log back in and read about your new keyword tool…
I thought oh.. ummm… Jon has redesigned his homepage… lol
Okay, so crisis averted… do you know who it was? and more important… when are you releasing that damn keyword tool you were taunting me with??
June 14th, 2010 - 01:17
Hey Jon,
Great to hear that you were able to get the sites back up in such a short period of time. Thanks for the awesome advice on the IP addresses. I am taking action as we speak.
June 14th, 2010 - 01:03
I don’t think a key logger virus can affect you if you have an automatic password program such as Roboform. You are not keying in any information that they can track.
Glad to hear you didn’t suffer any permanent damage. Why people do these things is just beyond me.
Best wishes
Wendy
June 14th, 2010 - 00:47
Hey Jonathan you were lucky. I looked into your hosting company and I may use them for one of my sites. Thanks
June 14th, 2010 - 00:36
Wonderful tips you’ve shared. I don’t even realize this simple things are essential. I’ve been using a shared hosting and it has been for a year been using. Do you think it is great to stick on a shared hosting?
June 14th, 2010 - 00:34
@Neels
It’s not likely it would help. Most of those are automated and are only able to complete from the host having their servers setup incorrectly (as in the last 2 major incidents) or the individual user having an outdated WordPress install.
Using a host who has the servers setup properly and keeping any installed script up to date is going to stop the vast majority of issues.
June 14th, 2010 - 00:24
Hi Jonathan
I am sure glad you got things worked out that quick and went on with your anniversary and enjoyed the rest of your trip with your wife.
I would have never new what to do really in that case, I do now thanks to you.
I will always be your friend and if I could and knew how I would help you anyway I can.
I think you do good things for people and try to help anyway you can.
Edward
June 14th, 2010 - 00:20
Jon,
Your sites, programs, forum, C4L, and your post are all the very best
on line. My respect for you and for your staff can not be put into words.
It is sad that someone who helps so many, would be hacked, and
also probably not a coincidence that you were out of town.
I am very happy that you have not received permanent damage
to any of your sites. As soon as I signed onto one and got the message, I went to another, then another. After that, was one of the many who sent an email and placed a call to alert you of the problem.
I was on the forum this evening, when I got an email that you had made a post. So immediately went and read it….was one of the many people who were glad to read that post on the forum http://jlforums.com. At that moment we all knew if there were still any existing problems, you would get them fixed in a hurry.
Am also happy that you and your wife were able to continue your anniversary vacation without having to return to Plano to get every thing repaired.
As I said ‘REAL GLAD TO HAVE YOU BACK’!
Joyce
June 14th, 2010 - 00:19
Thanks for sharing your experience .. I sometimes loose touch with how important changing passwords and running antivirus software really is, especially being a webmaster of quite a few sites – i hate hearing about malicious attacks that do cause damage .. we will consider your mishap lucky!..
Also, congrats on making it ten years!
Best of Luck.
Simon – Whistler BC
June 14th, 2010 - 00:17
Thanks for sharing.
It makes me aware that what may seem kind of hokey on TV, in the movies, and in recent mystery novels, is actually happening in real life.
June 14th, 2010 - 00:16
I think the real key is quality web hosting – so many people try to save a few dollars a month only to have it cost them significantly later on when a problem occurs.
June 14th, 2010 - 00:13
Great news that everything is ok. You had sent an email about new software you were going to announce later when you came back. There was some reason your email sent me to your site and when I did . . . wow. I felt so bad for you. I’m glad no lasting damage was done.
Take care and Happy Anniversary to you and your wife. Donna
June 14th, 2010 - 00:12
Hi Jonathan, I noticed your situation when I tried to use my copy of “Answer Analyst.” It detected an “update” on your site (which was obviously made by the hacker) and I could not run Answer Analyst unless I accepted that update, which I did not.
So I would say another thing to be addressed is that people who buy your apps may not be able to run them at all if there is any problem with your server, hacker or otherwise.
June 14th, 2010 - 00:11
I was reading an email when it happened, and clicked on your support desk, but can’t remember why. I seen some b.s about I hacked this site. First thing I thought was, let me email this guy to let him know, but then it hit me… I only know how to get a hold of him through his support desk
(which was down due to the hacker)
Glad you got your sites in order…
June 14th, 2010 - 00:09
Hi all thanks for sharing your story Jon – we all get to used to enjoying our work online at times we forget there is danger in all areas of any kind of working life on or offline –
POSITIVE QUOTE OF THE DAY
—————————–
Enjoy the little things, for one day you may look back and realize they were the big things.
– Robert Brault
June 14th, 2010 - 00:08
I can say that having a great support unit from your hosting company truly make the major problems go away faster. There is nothing more up setting then try to straighten something out and the people that have control are not responding to you. I have been there and can tell you that isn’t a place were you want to be at. Well Jon, it sounds like everything worked out for you and your wife, I truly glad for you. Take care and enjoy and be prosperous…
June 14th, 2010 - 00:07
“It’s hard to understand what motivates people to do this sort of thing. Then again, I can’t understand why guys on Harleys roar by my front door without a decent muffler either. Like you say, “look what I can do”. Go figure.” ~ Rick Hendershot
Why do they sit at a light revving the stupid things? To keep them running??? A good bike doesn’t need it and a bad bike isn’t worth the aggravation! Imagine if everyone in a car kept revving the engine at every stop!
As for this hacker fool the best I came up with is he is working out of Saudi Arabia. I find my own servers are bombarded by Russians and Koreans the most. But it is well known that there are people in the Middle East doing everything they can to disrupt our economy in a vain, and stupid, attempt to bring us to our knees.
June 14th, 2010 - 00:05
Right now I am feeling sick to the stomach because of hackers. I had about 15 sites with one host and they were all hacked. I have had one site already deindexed! I am so worried about the others!
I have moved hosts, but hope I am not too late. Why do people do this? I had folders uploaded to my sites, containing unpleasant material and links.
I just hope the big host I have moved to, is going to be safer.
June 14th, 2010 - 00:04
Wow – I thought if you had Roboform or a similar product, the keyloggers wouldn’t be able to log onto your sites?
Do you use Roboform? Just curious. What a mess, I’m sorry this happened during your anniversary.
But great tips on blocking SSH and FTP access – I had no idea this was even possible. Thanks for the tips, you definitely have a lifer in me, John.
Happy belated 10th!
June 14th, 2010 - 00:04
I know there is never a good time for a hacker to strike, but they always seem to choose the worst possible time.
Recently I had a hacker break into my email account and send out an ‘I need money’ message. He also hacked into my Facebook account to send out the message there as well.
I, too, had lots of phone calls (and emails to a different account) telling me about the problem, so I knew about it in about 20 minutes. Fortunately, he didn’t hit my websites.
Some people just have too much time on their hands.
Use strong passwords and use DIFFERENT passwords on all accounts.
June 14th, 2010 - 00:04
Hackers.. I hate them. I don’t know what are the purpose their hacking someone server or website. Their do nothing good except making damages to someone else. I hope God give him a lesson that he won’t anyone property again.
June 14th, 2010 - 00:02
Happy Anniversary!!!
WOW… You are really luck they did not go in and delete your data etc… God is good
… Glad to see that you got things resolved quickly and was able to enjoy your Anniversary 
..
Regards,
Kirschan
June 14th, 2010 - 00:01
I really do understand how devastating this must have been for you Jon. I actually went to check out a ticket from you and found the hacking – which I then contacted Amin Motin to tell what I had discovered. I received a quick response from Amin telling me that everything was being corrected.
I am pleased that your 10th anniversay continued after this hic up without a hitch.
Kind regards
Barbara from Down Under
June 14th, 2010 - 00:01
Hey Jon,
What part of the Ozarks are you guys visiting? I ask because we live in the Ozarks in Branson, MO.
I’d love to know and hope you have a great time!
Thanks,
Scott Raven
June 13th, 2010 - 23:59
Glad you’re sorted out now Jon – it’s a nightmare when it happens though.
A similar thing happened to me 3 months ago when over 50 of my sites were hacked. I worked almost non-stop for 2 days (4 hours sleep only) to get everything changed and working again.
….hopefully never again ;o)
June 13th, 2010 - 23:59
It always amazes me what a Mac can’t handle. I’ve often wondered why anyone would even own one. LOL.
June 13th, 2010 - 23:59
Hi Jon,
I was sorry to see this happen and sympathize with you completely, having experienced the same thing myself a couple of times. I’m pretty sure the message was up for parts of three days, and I assumed you must be temporarily out of touch not to have gotten on it right away.
It’s hard to understand what motivates people to do this sort of thing. Then again, I can’t understand why guys on Harleys roar by my front door without a decent muffler either. Like you say, “look what I can do”. Go figure.
June 13th, 2010 - 23:58
Thanks John, this reminds me again to check my virus software…
Just a quick question relating to your solution (“block all shell (SSH) and FTP access from all IP addresses except my own”) – could that also help for the type of hacking that I frequently read about where spammy links are inserted into header or footer files of wordpress blogs?
Cheers
June 13th, 2010 - 23:57
Tip #1 is golden. Never thought of that. BTW, welcome back!
June 13th, 2010 - 23:57
I’m so glad everything is all worked out and working properly now. I’ve really learnt a couple of lessons from your bad experience and that is to ensure you have a good host and secure your sites. But there are good things that came out of it, at least now you know you are well-loved by your clients
by the way, happy anniversary
June 13th, 2010 - 23:56
Darryl:
Sadly that is not an option. The software I need is not available for my Mac (yes I own one). I have parallels, but then if I ran everything under that I’d be in the same boat anyway.
June 13th, 2010 - 23:54
Just glad you had fantastic response from your host. I was just looking for another host too so your blog is just timely. I will check them out. Thanks and keep up the good work. And enjoy your anniversary too!
June 13th, 2010 - 23:54
Another lesson in not using a mac computer, do yourself a favour buy a mac operated computer.
June 13th, 2010 - 23:52
Doing things the right way is always the best strategy.
It’s been obvious that you have always placed your customers first, so it’s not surprising that they responded as they did.
You are a great example and one can only wish for your continued success.
June 13th, 2010 - 23:48
Well, hopefully that little punk gets what is coming to him. And if not, I guess karma will catch up with him sooner or later…
June 13th, 2010 - 23:47
I’m so glad to hear everything has worked out Jon. I was thinking how disappointing this entire thing had to be for you and your wife on your Special Week.
And I wondered about that last minute keyword tool you got up if somehow someone took advantage of that time to get into your system.
I immediately did a quick Google and saw where the mutt has been very busy throughout the Internet. Sure, this is a great way to get your message across! Sorta like a thief leaving notes behind asking people to support more freedom to prison inmates!
Welcome back.