How to Thwart an Attack That Can Quickly Kill Your Business
It started with a routine check on our website (which I do every morning)… and finding a crazy-looking warning on our front page – the same warning that several ETR readers wrote in about. Here’s one of the e-mails we received that day:
From: Kelly Brock
Date: Sun, May 17, 2009 at 10:15 PM
Subject: Google reported your site as suspicious with malware
Hi,
Google has reported your site has been loading with malware and suspicious activities, and has blocked users from accessing it. To be on the safe side, I am not opening the link to your website till all is clear. You might want to check and clarify. Attached is the browser screen. Hope this help.
Regards
Kelly
Our website was under attack.
I immediately started digging, and saw that certain pages of our site were trying to redirect our visitors to a Chinese site called gunbar.cn. That site then tried to pass along a virus to our visitors’ computers.
It seems that an extremely malicious Trojan/Virus had been released on the Web. ETR – along with WalMart.com and Variety.com, among others – was one of its latest victims. Colin Witucki, ETR’s Operations Manager, and I managed to eradicate the virus from ETR’s site. But this experience offers a good lesson for anyone with an Internet business.
If you take the proper precautions – like using reputable anti-virus and malware protection software – this is a one-in-a-million occurrence. And the possibility of contracting a virus is certainly not a reason to get scared away from doing business online.
But it CAN happen.
Here’s what I learned during our own battle – and how you can use it to prevent or thwart any attacks on your site…
This particular Trojan/Virus has a way of infecting a computer without being detected by anti-virus software, and it seems that one of the computers in our office had caught it. A computer can catch this electronic parasite simply by “visiting” an infected website.
It works by first infecting your computer, and then infecting your website using login criteria it steals from your FTP client. (FTP is a software used to upload and download pages from your Web server.) It then begins to upload infected Web pages to your server without you knowing it!
The URL for the virus was originally several variations of gumblar.cn. It had been out for a short time – and I was aware of it – but the version we contracted was fairly new.
This malicious code started slowly and kept spreading until many of the pages on our site were infected. Though I acted as soon as I knew we had a problem, I wasn’t able to catch it in time to prevent our website from being flagged by Google and other online authorities.
Because we were flagged by Google, when people visited our website they were greeted by an ugly red sign that read: “This site has been listed as an attack site.” From that warning page, the ETR site was accessible only by clicking on the “Ignore this warning” link (which, as you can imagine, NO ONE used).
Needless to say… our website was in serious trouble. We could have been blacklisted by Google and other search engines if the problem had not been taken care of quickly.
How WE Overcame This Malicious Attack
It wasn’t easy. It took a lot of work and about five re-submissions to Google’s review board, but we managed to fend of the attack and get our website back to normal.
• The first thing we did was change ALL the passwords on every site we hosted on the server. Once they were changed, the virus had no way to upload itself to the server.
• Colin and I then ran around to every computer in the office (more than 20) and installed virus protection software called Avast! Antivirus. This was the only software we could find that detected this Trojan/Virus.
• Once everyone’s computer was clean, I proceeded to clean out the files on the server. Since the virus had randomized the malicious code (it looked completely different on every page), I wasn’t able to remove it simply by using the software. I had to go in and remove the line of code file by file. There are more 3,000 files on our site, so you can imagine how beat I was after the first 300 or so.
That’s when I decided to try to write a small application that would do it automatically using PHP (a Web programming language). I ran my program on the server – and IT WORKED! It cleared all the malicious code on our pages. And when I submitted to Google’s review board this time (they allow a review request every eight hours or so), they finally removed the block they’d put on our site.
Thank goodness we were able to get out of this jam. Unfortunately, thousands of Websites get infected by viruses every day. That’s why we’re taking every precaution to ensure that it does not happen to us again (including some that – for security reasons – I can’t mention here).
Your first step in detecting and removing this nasty little bug (as well as just about every other worm, virus, or Trojan out there), is to install AVAST! Antivirus.
I can’t say enough about how much help this software was. It helped save our online business. Our office computers had Norton, McAfee, and AVG installed – and NONE of those programs caught this Trojan/Virus.
PLEASE NOTE: Use this PHP script at your own risk! The application worked for me – but though it was intended to remove only the malicious code, it does remove lines of JavaScript code that contains similar structures. If you do not know how to use it (there are two lines of code you need to change to suit your needs), I recommend that you hire an expert webmaster to help you.
We dodged a bullet – but how will YOU fare if a virus attacks your business website?
As I said, it is unlikely that you will have a problem if you take the proper precautions. Here are the two most important things you can do:
1. Be vigilant.
This is key. I am constantly scanning ETR’s website to watch for viruses, and I check the site every day for irregularities. You should do the same. You – or your Web manager – should also keep up to date on the latest viruses and how they get access to websites. That way, you’ll be on top of them before they ever affect your site.
2. Take some easy initial steps to protect yourself.
• Make sure your FTP login information and passwords are secure. Write them down somewhere rather than saving them on your site. And give access to upload only to people who absolutely need it.
• Run a daily scan for malicious software (malware). I use malwarebytes.com. [
• Install privacy software that detects and removes spyware from your site. I use spybot.com.
While you shouldn’t let the threat of a virus keep you from starting an online business, it is something you should be aware of. A few ounces of prevention – and an understanding of how to thwart an attack – can help keep your website, your visitors, and your business safe.