Aug 19, 2007

Rebecca the Webmaster - BadWare Case Study

Rebecca the Webmaster - this is my story, no tears, no glory...- A
StopBadWare Case Study (English version)

Introduction;
This is a success story for Rebecca and StopBadWare, - no tears, no
glory! This is written by me and 'El Jart' to assist other webmasters
and written in a case study format as a step by step guide from a
website getting flagged by Google, not only to the lifting of the
warning, but added measures to hopefully reduce the chances of ever
getting flagged again, with hidden traps for any unwary exploiter in
the future.

(Note: No staff of StopBadWare or Google was involved, and the review
process was as for any website.)

This case study is in 3 parts; English language version (this post),
Spanish version, Tech version and descriptions of tools and in-depth
analysis of code and script issues we used. This is to demonstrate how
a newbie webmaster with help from the community, can get it done,
hopefully any webmaster can follow "Rebecca's Guide"

Backgound;
The specific web domain itself is not relevant for this study; however
the site is a popular Spanish language community fanzine; news,
sharing stories, pictures, multimedia and an active forum. Based in a
small town in Northern Spain, Rebecca started off 2 years ago as a
forum moderator; "without even an internet connection at home but when
she got one her dial-up she was ready to get into de administration,
so “I personally decided to change the website looks, and start
spanking the others to do their job properly. The web site really
started to take off, not just the news section the designing and all
the info was starting to be what it was meant to be, then the problems
started."

Being Flagged by Google;
The Google warning story... one of the members of the site team was
testing our rank in Google when he found out we were flagged, so
that's when the story begins... May 3rd 07. We asked Google, who told
us to remove certain code and told us to ask for review in
StopBadWare. After some time trying to clean it myself... I decided to
ask for help at the StopBadWare forum July 28th 07... Lucky me! I
found help from the community!! How I have found out that we did get a
Google mail warning us, but I did not have access to that accounts
till I asked another team member for the passwords and all that stuff,
he doesn't even know how to enter that accounts I'm not blaming
him for that, so I'm not sure for how long we were flagged 'till May
3rd." Having requested a review the Google flag was clear August 2nd
07... Happy team, site, and users.

How we fixed it;
The first strange stuff, after reading the StopBadWare guidelines I
could see was a reference in the HTML index page was to iframe ....., relating to some .swf and 'RuneScape' and as we do not have such files on the site! I just deleted, but I was not sure if
that was it?

Found out it is used by hackers to trick users into downloading
malware from a fake Adobe Shockwave Player download site. Prospective
users who stray onto a game site are presented with broken icons in an
attempt to convince them that their copy of Shockwave (if already
installed) isn't working properly.

Then we found another iFrame src "quickcnt” hidden iFrame in the
Administracion directory there is a file called "index.php" so we got
rid of that too, with two other .swf fake player downloads. Ok I
thought this was all done until 'Jart' told me to search all the
server log files for strange activity on the site, after he found them
for me, he was right! Lots of funny IP addresses (web bots) coming to
call, linked to the stuff I had got rid of but also for the forum.

So I went to work on the PhpBB forum, cleaned off any spam, and banned
all the IP and domains linked to the spam and the logs. We then also
added a 'robots.txt' especially for the forum and patched various php
files for the forum.

Finished I thought, then 'El Jart' asked me about the SQL database
files, did not even know where they were. So Jart pushed me again (El
Jart can be more Bad than the BadWare!) what did we find? A forum that
I did not even know existed. This had SQL injections, with only spam
addressed to bad websites. Also administrators with passwords for the
whole site, who had nothing to do with the site, and spam that,
attached its self to any proper post on the real forum. This is how we
got hacked in the first place and if we had not dug down deep enough,
we could have easily been infected again.

Conclusions and a happy ending;
When we first found out we were flagged by Google I was first
frustrated and after getting rid of the first bad iFrame, I was
annoyed we had to wait. Thanks for the StopBadWare forum and really
finding out what was wrong and really fixing it, I can only tell any
other webmaster it was worth the wait.

So check your website if you get flagged or even better check your
website before you get flagged - check;

1. For any iFrame code especially where it has the name of a website
you do not know, and says "hidden".

2. In any PHP or other files for this, as well as any calls for
downloads of multimedia players, PDF, or other files you do not
recognize.

3. Look at your server log files, for all contact with your web site
is within them, might take a bit of learning but worth it.

4. Check these database files (SQL) for anything unusual.

5. Go to the StopBadWare forum and ask, I did and it helped me. For a
little more practice, El Jart is going to take me on some of his next
"help visits" then I will assist other webmasters!

So in all "a few tears but a lot of glory", one further happy ending
is, Jart showed me how to add a few further "patches" which he made me
promise not to tell anyone, but apparently they are "BadWare Hacker"
traps, which if someone tries to hack our site again, their "bot" goes
back to its dark place with a bad headache ;-)
Hope this helps others.

Rebecca AKA "The BadWare Avenger" & with an El Jart assist.

No comments: