A couple of days ago I received this email from Miriam at SolasDesign and my first thought was: what rich Google irony:
I was doing a search in Google today for ‘google+ local error 500′ and one of the results Google returned was this page of your site: Google + Page ‘500 error bug’ work around.
Bizarrely, when I clicked on the link, I was redirected to a page of pornography at http://youdon’treallywanttoseeit.com. I immediately hit the back button.
Even stranger, when I re-clicked the link in the SERPs, I was taken to your page correctly. I am not terribly educated on the awful topic of hacking, and I’ve never encountered any information about something that could intermittently do malicious re-directs, but I wanted to let you know about this ASAP. I haven’t ever seen something like this happen before, but hopefully, your team can figure out if your site has been compromised in some way. So sorry about this. It’s awful.
My immediate second thought was that my down home farmland wp theme that Mike Ramsey loves so much had been hacked. When Linda Buquet and Brandon Monchamp contacted me with similar stories I was convinced of it. However none of the external malware test tools from Google or Sucuri could find anything.
I contacted Sucuri (who does a great job of site security by the way) and learned that the reality was worse. The cPanel server hosting my site had fallen victim to a new Apache kernel hack: Linux/Cdorked:
In fact, Linux/Cdorked.A is one of the most sophisticated Apache backdoors we have seen so far. Although we are still processing the data, our Livegrid system reports hundreds of compromised servers. The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis. All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system.
The only tell tale signs were the external reports of redirects to porn sites on Google searches. The symptoms that Miriam described are in fact diagnostic which is my reason for sharing them here. Forewarned is forearmed. Apparently this hack “exploits the fact that cPanel doesn’t use a packaging system to install Apache”.
Hopefully you will not suffer the same fate and if you do you will know what it was quicker than I. The servers were taken down last night for the patch and cleansed. Thanks to all that alerted me to issues.Linux/Cdorked: A Nasty New Apache Hack by Mike Blumenthal