It all started one morning with a worrying email subject line: ‘Your portfolio page may have been hacked’. Inside was an unsolicited message from a friendly web developer, letting me know that my website’s usual portfolio page seemed to have been replaced by some offensive adult content. Not what I wanted to hear. 

After a short period of panic, I pulled myself together to investigate. At first glance, nothing was out of the ordinary. My copywriting website looked normal.

But when I tried some experimental Google searches, I got a nasty shock. Although you could access my website fine by typing in the address, visitors clicking through from Google were being redirected to another site, where they’d see some entirely different and wholly inappropriate content.

The .htaccess hack

I had fallen victim to one of the most basic website hacks out there. Someone or something (perhaps an automated hacking script), had altered the settings in my website’s .htaccess file so it maliciously redirected visitors to the dodgy site.

The way it had been done meant that only visitors arriving from search engines would see the dubious website. If you typed in the URL then the site looked fine – so at first glance it wasn’t obvious anything was wrong.

Of course, if I’d used StopTheHacker Malware Protection then I’d have seen the issue straight away. The malware would even have been removed automatically, keeping me safe the whole time. But as it was, I only found out because a kind-hearted visitor emailed to let me know.

I was aware how lucky I was. Had the problem gone undetected, I would almost certainly have been blacklisted by Google, leaving me struggling to find new clients.

Getting things fixed

With the problem identified, it was easy to log in to my web hosting and remove the dodgy code. My website uses WordPress, so resetting passwords and deleting a suspicious username seemed to prevent the dubious code being reinserted.

But even though I managed to address the most pressing problem, it was hard to be certain I’d eliminated all traces of the hack. As I rely on my website to promote my services and bring in business, it wasn’t something I wanted to leave to chance. As a result, I spent most of the rest of the day running the site through security scanning tools, installing and updating plugins and reading up on WordPress issues. But even then, I wasn’t convinced my skills were a match for a determined hacker. I could easily have missed something.

That was when I decided to bring in the professionals. They were able to delve deeper into my site, cleaning up other traces of the breach and giving me pointers to stop it happening again. Phew.

Security breaches cost you

I’m well aware that I got off lightly this time round. The whole situation could have been an awful lot worse.

Yet even this minor security breach cost me. I spent about a day setting things straight, and had to pay the developer to investigate in more depth. What’s more, I’ll never know how much business I lost because potential clients were seeing offensive content instead of my amazing portfolio.

As a result, I now have a much more proactive approach to security, with monitoring my website for malware, backups and updates all taking place regularly. I urge you to learn from my mistakes and do the same. Because if you don’t, one day you might receive a worrying email, just like I did.

• Phishing Page Detection
• PHP Spam Shell Detection
• Webpage Defacement Detection
• Insecure Folder Permissions Detection
• .htaccess Hack Detection
• Website Error Reporting

For detailed information on the individual features, please check out our Feature page

The new server-side scanning is visible in your dashboard directly in the dashboard overview within the “Malware Detection” section. You now there can see an additional pie chart named “Server” as well as two indicators for redirects and phishing pages.

Clicking on the “Action+” button brings you to the detailed report for the malware detection, which is now also divided into server and application level malware scans. A click on the “More details” next to each scanned part brings up even more details on the scan.

To activate the server-side scanning for your domain (if eligible) select the domain you want to set-up the server-side scanning for. Then click on the “Service Settings” navigation point on the left hand in the side menu below the selected domain.

You can chose either to enter your FTP or SSH information, or booth.  The tab for the FTP information is pre-selected. Enter the FTP information including the target FTP domain, like ftp.mysite.com, the port (usually 22) and your login information (username and password).  When setting up the server-side scanning you also automatically set-up your automatic malware removal feature (if eligible) which uses the same information. For the automatic malware removal please select if you would like StopTheHacker to automatically go into your site and remove malware whenever found (default), or not.

To enter your SSH credentials, simply click on the tab “SSH Settings” and fill the requested information, including Hostname, Port and Username and Password and confirm this by clicking the button “Setup)

Note: You may not have access to this tab if your account has been set up by a partner of StopTheHacker. In this case, please contact the company who set up your account at StopTheHacker or contact support@stopthehacker.com.

Microsoft has announced yesterday via its Security Response Center blog that it has been attacked and hacked with methods similar in nature to those experienced by Apple and Facebook recently. All attacks were perpetrated by utilizing a zero-day Java vulnerability.

Microsoft reported that a small number of its computers, including some in its Mac software business unit, were infected with malware. Microsoft further said there was, so far, no evidence of customer data being affected and that it is continuing its investigation.

Here is the full announcement from Microsoft:

As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion.

Consistent with our security response practices, we chose not to make a statement during the initial information gathering process. During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing.

This type of cyberattack is no surprise to Microsoft and other companies that must grapple with determined and persistent adversaries (see our prior analysis of emerging threat trends). We continually re-evaluate our security posture and deploy additional people, processes, and technologies as necessary to help prevent future unauthorized access to our networks.

Make sure the same doesn’t happen to your website, blog or online-shop and protect it with StopTheHacker malware detection.

Wired reports passwords were not part of the breach but that some customers may have also had their phone numbers revealed during the hack. Tumblr, Pinterest and Twitter already have notified the affected users. So far neither Twitter, Pinterest nor Tumblr are aware of any user accounts that were compromised by the attack.

Here is the original blog post from Zendesk:

“We feel that it’s important our customers receive an update from us on a recent security situation. We have an investigation underway and do not have the answer to every question.

We’ve become aware that a hacker accessed our system this week. As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had. Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response.

We apologize to our customers and to their users.

Our investigation thus far has revealed that no other Zendesk customers (or their users) were affected.

We’re incredibly disappointed that this happened and are committed to doing everything we can to make certain it never happens again. We’ve already taken steps to improve our procedures and will continue to build even more robust security systems. We will continue to diligently work with our affected customers to mitigate any impact.

We are also completely committed to working with authorities to bring anyone involved to justice and make certain we fully understand what happened. As this process unfolds, we aim to update our customers in as transparent and timely a manner as possible about new developments.”

Clean server and take back-up

Always begin by removing all files from the server. Wiping the server clean is meant for the malware infection not getting multiplied. Remove the files and take a local backup.

Review recent files

Review files that were recently time stamped in the last 48-60 hours. A line of code such as “eval(gzinflate (base64_decode indicates the website enduring malware attack. The line of code is inserted at the top of each web-page in any header files and template index. The worst case scenario has witnessed the code being inserted along every file on the server. A hard job though, but eval(base64) needs to be instantly deleted to ensure malware is removed from the Joomla website.

Check your .htmaccess file

.htmaccess file is vulnerable to malware attacks and commonly encountered. Hackers use it to redirect your Joomla web page to their own site. Check for any line or a string function ‘gzuncompress’ that should not have been here. It won’t be a difficult process for you to detect the function that wasn’t written by you to create the website. Set the .htmaccess file permission to 444.

Change FTP accounts

Quickly modify your FTP account details.FTP accounts are most vulnerable to external attacks that may cause hijacking your website. Hackers, find it easy to access information by exploiting FTP accounts information that hasn’t been updated for long. Also, the system that was used to develop the website should be regularly scanned with anti-viruses. A system deeply infected with virus will assist the hacker in stealing your FTP details.

Remove default conventions

The first attempt by an attacker to hit your Joomla website would be to gain access to your administrative accounts. Most developers continue with default conventions (such as administrator for Joomla) which make it easier for the attacker to pursue his job at an early stage. Always change usernames from default to a customized ones that you can remember. This will make it mind throbbing for the attacker to pick usual user names.

Install plug-ins

Also, make it a point this time to embed plug-ins on the login page. The application will restrict the number of login attempts. If the hacker tries to implement several permutations to get into your website, he will be debarred from making more attempts, leaving him frustrated and helpless.

Change Admin URL’s

The common problem with a modern content management system such as Joomla is that the default admin URL they provide is left unchanged when your Joomla site goes live. This makes it easier for the hacker to track the admin page. Changing standard Admin URL’s to customized ones. This will betray the hacker, by removing existing malware from your site and also ensuring fortification against further injections.

Also ensure the admin URL is not indexed by any search engine. If it does, disabling the disallow line from your rorbot.txt file and check that the link is not present in the sitemap.

Check comments

While many comments indicate good web traffic, they can be troubling at times. Comments are highly vulnerable to cross site scripting (XSS).

Disable direct publishing of comments. Introduce screening by admin before publishing. Convert comments to HTML coding to remove spammers and malware. Also, using certain commenting applications such as ‘Discuss’ would be helpful.


If you find this article interesting you also may want to check out the following blog articles: “Removing Malware from a WordPress blog” and “Consequences of your website being blacklisted by Google”.

Let us know what you think and want to learn about website security and malware! Connect With us on Google+ , Twitter and Facebook or even LinkedIn!

Key features of Version 3.7 incorporate extensive improvements designed to go even beyond the standard approach of website security:

• Detection of phishing pages to prevent hackers from using customers’ accounts to commit financial fraud.
• Detection of hidden spam shells, preventing hackers from using web hosting accounts as a spam bot in order to send email spam.
• Detection of hidden php shells, identifying if hackers are using web hosting accounts to steal sensitive data and infect websites with malware.
• Detection of permission issues. Secure permissions ensure that only the customer has protection and access to their data.
• Detection of website defacement, identifying when hackers deface websites and initiating the action to be taken to restore the website.

Server-Side scanning is now automatically available in all Professional and higher Editions. We just made your website safer!

More information on the new features

Malware removal can be approached systematically by adhering to a set of steps that reverse the attack procedure.

• Scrutinize your file stamps
• Review suspicious files and examine them
• Identify the loophole in you firewall that let the intruders in
• Clean your .htcaccess file

Depending on the size of your website and the number of sites hosted on the server in question, the implementation of the above osCommerce malware removal steps will vary in intensity.

Scrutinize your time stamps

In this step, you should look for files that were most recently modified before things went haywire and making them for inspection. A good range of time to dig into is up to 48 hours after the attack became manifest.

A simple way to do this is by using ‘eval’ commands that sort of treat strings as numbers and do mathematical computations with them. Though dumb, this can be applied in the identification of specific code snippets in your files.

Review suspicious files

After the above step of identifying recent stamped files is over, the next step is going through each file to identify patterns and alteration characteristics that are not in the way you do things at your firm. Under most circumstances, malware removal depends on the fact that an attacker will never have the trademark touch that the inside team has in doing things, unless it was an inside job.

The most common alterations that should be looked for are in the alteration of file code, made either at the start of the scripts or at random places. Such code alterations, though simple can give the attacker access to your system or totally crash your servers and the only option out is deleting such lines of code.

Though this might sound simple, it is not. Most server files are encrypted using some format with a common one being the base64 encryption. A good Base64 Decoder will do the task well for you. (Encoded lines start with eval(gzinflate(str_rot13(base64_decode).

Identify the loophole in the firewall

After the corrupted files have been successfully corrected, the next thing you should think of is the identification of the window through which the hacker accessed your system. Though this might be tedious, especially if you are dealing with an expert, it is something that must be done if you totally want to lock the hacker out.

The easiest way to find them is by looking for script files uploaded to your upload file or image folder and any other sections that can allow files to be uploaded to. (They vary depending on the Content Management System you are using). Going through these files will give you ideas of how the criminal got into your system and then shut the loopholes.

Reset the .htaccess files

The most common way that malware attacks take shape in is through the redirecting of your whole website to another hosting place. To counter this reset the pointers back to your server to ensure that phishing is totally eradicated.

Malware removal is therefore not an easy task to approach on your own especially if you have a heavily loaded server to deal with. There however always is the option of contacting experts to do the job.

If you find this article interesting you also may want to check out the following blog articles: “Removing Malware from a WordPress blog” and “Consequences of your website being blacklisted by Google”.


Let us know what you think and want to learn about website security and malware! Connect With us on Google+ , Twitter and Facebook or even LinkedIn!

The Parallels team has put together a great lineup of keynote speakers, breakout sessions and networking opportunities. By gathering the brightest and most innovative minds in the industry, Parallels Summit makes it easier for service providers to make important connections – to network with their peers, discover the latest solutions, gain insight from industry experts, move their business forward, and profit from the SMB cloud – all in just a couple of days because the entire ecosystem will be there. A brief overview of the agenda is available here

We would love to meet you! Visit us at Booth #213 to:

• Find out about new exciting ways to turn your support costs into recurring revenue by offering website security.
• Find out how StopTheHackers Certified APS Package helps you launching easy and fast.
• WIN some awesome prizes. Come to our Booth #213 to find out more.
• Have interesting talks, insights and trends of website security with us.
• Have fun!

We have a special registration code you can use to register for this event. Using StopTheHacker sponsor code ATGNAE8A will enable you to and save on your registration if you complete your registration by February 1.  We hope you’ll join us to advantage of this opportunity – to listen and learn, to ask and discuss, to strategize and grow. 

Join us at Parallels Summit 2013. We look forward to seeing you in Las Vegas!

While we revel in the merry spirit of Christmas as the year ends, somewhere in this world there is a large group of menacing Grinchs that are having a little celebration of their own. However, it is not because they have come up with yet another plan to steal Christmas; it is but due to the fact that they have spent all of last year stealing something which has been a lot more worth their while.
These data stealing Grinchs seem to have had a ball with the latest technology in the year gone by as they have gone around lifting confidential data off people’s systems and websites with their hacking and malware tools; and it certainly does not end at that.
Their stealthy activities have just taken a start and it seems like they are set on taking advantage of their newly found charade to the maximum before calling it quits. While it is next to impossible to make them give up on the entire idea, there is a lot that we can do in order to shield ourselves from their devious attacks.

View our infographic to educate yourself regarding the trend of their activities in the past one year so that you can better protect your system.

Source: MobiStealth.com

An introduction to SSL

There is still much confusion surrounding the trust and security of websites, but when building a web application that deals with any personal data, security is the first priority.  SSL provides a safe form for the transmission of data – like transferring a message inside a locked safe.

The Secure Socket Layer (SSL) and Transport Layer Security (TLS) is the most widely deployed security protocol used today.  Technically, SSL is a transparent protocol which requires little interaction from the end user when establishing a secure session.   In the case of a browser for instance, users are alerted to the presence of SSL when the browser displays a padlock, or, in the case of Extended Validation SSL, when the address bar displays both a padlock and a green bar.  This is essentially the key to the success of SSL, as it is an incredibly simple experience for website visitors.

SSL Certificates are small data files that digitally bind a cryptographic key to an organisation and/or website owner’s details.   When installed on a web server, it activates the padlock and the https protocol (over port 443) and allows secure connections from a web server to a browser.  Typically, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites.

Which SSL Certificate should you choose?

One of the difficulties for almost every webmaster/IT department today is deciding which type of SSL Certificate to purchase and they are commonly faced with the battle of restricted budgets versus actual requirements.  However, just like the old saying “Quality over Quantity”, is it worth compromising on security for the lower spend, when paying that bit extra for an Extended Validation (EV) SSL Certificate can give you a high level of trust and assurance than standard SSL Certificates.

With all customer facing websites, GlobalSign highly recommends using a high assurance Extended Validation SSL Certificate (more commonly known as EV SSL), which is instantly recognisable and assures visitors the website is provided by a legitimate company and can be fully trusted.  It helps to prevent against phishing attacks, copy-cat websites, we well as increases trust and brand reputation, often leading to reduced shopping cart abandonment rates and increase revenue!

Which Certificate Authority should you choose?

Unlike many CAs and SSL providers, GlobalSign prides itself on understanding SSL and what people need for the most effective use of SSL; which includes speed, reliability and on-going security checks for their webserver.

Through numerous key partnerships and development of innovative solutions, GlobalSign now provides the Fastest SSL in the industry (up to 6 times faster than other SSL providers), due to its collaboration with CloudFlare to speed up the SSL “handshake” (called an OCSP response).

GlobalSign also includes a portfolio of post SSL checks for the lifetime of the certificate after it has been issued, including Malware Monitoring powered by StopTheHacker to detect malicious injection of code into a site, a Phishing Alert Service in partnership with Netcraft, to detect any pages that might be hosting a potential phishing attack, as well as an advanced SSL Configuration Checker Tool  to ensure your SSL Certificates have been configured correctly on your server; examining over 30 common server configuration issues with detailed guides on how to rectify problems.

To find out more about GlobalSign’s range of SSL Certificates please visit: http://www.globalsign.com/SSL