So, I opened up endlick.com and hoped to see some new content – ignoring the fact that I’m the only one who posts here and I sure as hell haven’t been vigilant about it – and saw some ad for insurance. endlick.com is a site where I post shitty content about computer issues and baudy tales of lust, not a site that advertises insurance plans.
Something was amiss! I put on my sleuthing hat and novelty pipe and set out to solve “The Mystery of the Shitty Website That Was Completely Fucked”.
Now, when it comes to troubleshooting, you want to determine the scope of the problem, and then isolate the issue. I didn’t follow this route because I assumed that this issue arose from me recently transferring a domain from GoDaddy to Namecheap. That domain was used for a few nameservers.
I figured that the nameservers were pointing to the incorrect place, so I started by investigating that.
My process was:
1) Visited the site on multiple devices (different networks) and via different browsers.
2) Checked other sites hosted with the same hosting company to determine which ones were affected.
3) Set the correct IP address to endlick.com in my hosts file and attempted to access the site.
4) Confirmed that the DNS was pointing to the correct place with Windows tracert.
At this point, I sat back confused. I had incorrectly assumed that it was a DNS issue, and effectively ruled it out. This is where things got interesting.
I checked what logs I could find in the hosting company’s admin panel and found that the site had no hits since August 4th. I transferred the domain around August 18th. I also didn’t realize that the site had been hijacked for more than 2 weeks.
5) This site runs WordPress, which is up to date. I checked for reported vulnerabilites in WordPress and found none.
6) In the WordPress database, I changed the template, stylesheet, current_theme columns to a different value to determine if the theme was responsible.
7) Deleted the contents in the active_plugins column to rule out plugins as the cause.
8) I commented out everything in WordPress’ index.php file to see if it would resolve the issue.
9) I created an index.html file to see if it would be accessed.
So, WordPress was not causing the issue. It wasn’t a DNS issue. It was a webserver issue. The final step was to figure out where the webserver settings were being changed.
This is using a shared server, so if the webserver’s config was compromised, a whole lot of sites would have been affected. I correctly assumed that it was running Apache, and looked for an .htaccess file. I didn’t see one. In fact, I didn’t see any dotfiles, since I was using some web admin panel which hid them.
I tried to set up ssh access, which I thought I was paying for but apparently am not. I tried to create an .htaccess file and got the error message “ERROR: Could not create file “.htaccess” in /home/myusername/public_html: File exists”
So, I poked around a bit more and found that the dotfiles could be displayed. The contents of .htaccess was just a redirect.
I updated the .htaccess file, and my site was once again appearing.
I am thinking that some outdated Flash plugin to display pictures was the attack vector. Also, I probably had .htaccess set with stupid 777 permissions since I most likely was drunk when I set this site up several years ago.
I disabled most of the WordPress plugins, and hope that the problem is now solved.