I run a websites on graphics design, greeting cards and website design. Most of the items are free for visitors and I make my money from advertisement using Adsense. It was not a huge amount but suffice to cover all my hosting and domain expenses. 

It was going fine till few months back. One day I noticed a huge surge in my Adsense revenue which was almost 6 times the normal. I was wondering how, but was quite happy. It lasted for 4-5 days and finally one day, it went all the way down to zero! I checked the website to see if something is wrong and found that my site was removed and my hosting provider had put a notice asking the site owner to contact them. I thought I ran out of monthly download limit or something and quickly called them up.

I was shocked when they informed me that they took my site offline as I was using the website for sending spam email to others. They received complaints from other ISPs and decided to take my site offline. I had hard time convincing them that it was not me nor with my permission. Finally I got help from their technical department who agreed to check the server logs and analyze it for me. As I had no access to the site, I couldn’t do anything. After few hours they informed me that some spammers were using my site to spam millions of others using a security loop hole in my PHP script. They identified the IP address and traced it back to Tehran. The host emailed me the log file for the last 48 hours for my analysis.

I contacted one of my friends who did the PHP scripting for my site. He quickly figured out that it’s a XSS security issue in my script and came up with a solution. I went back to the hosting provider and literality begged for FTP access to host the patched file. After a day or so they agreed to give access my website on the condition that I will not host the infected php script anymore.

I thought it’s done, but it wasn’t. Major email providers like hotmail and yahoo black listed my site for spamming. (To my surprise Gmail didn’t). The greeting card sending functionality of my site was almost down as the script couldn’t deliver the emails not even to the spam folder. Hotmail and yahoo simply trashed the emailed considering it’s a spam. I wrote to the customer support guys at Microsoft and they asked me to add SPF records in my domain. Yahoo never responded to my queries. I did everything I could possibly do, but couldn’t restore the IP reputation back to normal till now.

That’s not all; the worst was yet to be over. After about two three weeks after this incident, Google blacklisted my site (People call it sandboxed) saying that my site host malware. After an inspection I found that it’s true and found a ‘text file’ with some PHP code in one of my image folder. My friend checked it and said its some simple PHP script dropped by the attacker and might be using this to conduct XSS attack on other sites. I removed the rs9.txt file from the image folder and applied for re-inclusion. I never got any reply but the site was back on the listing after few weeks. Thank you, Google.

All in all spend more than two months days to bring the full site back online and that too not completely. From this lesson I learned a lesson that when ever there is quick surge in my visitors count, I look for reason and analyzed the logs for any type of malware; the importance for log analysis.

Author : Anurag Agarwal, India

Payment status : In progress

This story is sent by the author in reply to 

http://www.hackedinfo.com/ever-been-hacked-share-your-experience-for-10/ . Send your stories too.

I am Jamil Ahmed from Aden, Yemen and a native of Pakistan. I studied computers in Yemen for a few months, back in 2006. A strange thing happened during my study there. I would like to share the experience with you on how I managed to figure things out.

I studied computer at a near by computer center and the lab instructor often amazed me by hacking into my email every time. I tried all possible tricks I could. I changed the password once a week, used the most complicated password, never typed in front of him, checked the computer for key logger as per my friend’s advice etc. Nothing could stop my instructor from hacking into my email even when the password was new.

I was wondering what to do. I was almost sure that somehow he was managing to spy on the computer that I was using. But how was it possible? It’s not a virus; it’s not a Trojan, its not any remote screen capturing system as I checked the computer meticulously.

Then one of my friends told me it’s because you are using the school network. Your instructor is sniffing the networking packets and finding out the password. I decided to have a check on the same. I asked my friend to start an email address for me from Pakistan. I never tried to open the email from the school network. To our expectation, he was not able to find the password for that address.

Few months later on a casual chat with my instructor, he admitted that it was indeed a network packet-sniffing program. I forgot the name of the software, but through that he was able to monitor each and every conversation that we had from lab. He was given specific instruction by the principal to monitor this due to security constrains. He installed the software in the school proxy server and managed to hack into all the school computers.

Ever since then, I am very cautious in using any school or office network for personal use.

Written by : Jamil Ahmed, Yemen
Date: December 14, 2008
Payment status : Paid via paypal on December 18, 2008