Red alert!

At 3AM on this past Sunday morning, warning bells began sounding at the Groton Pixel farmhouse. One after another, client site scanners emailed their alerts to the mobile phone on my nightstand. I woke to a long list of pages and plugins with links to suspected malware URLs.

Alarm bells

Imagine this, but as an app.

The internet is constantly under attack by spammers, hackers, script-kiddies, and malicious bots. Most sites get pinged by at least a few of them every day.

Some are automated systems doing a drive-by to look for careless vulnerabilities. Some are teens from Brazil or Ukraine, the digital equivalent of graffiti artists, looking to tag more websites than their buddies can. Some are hackers with an agenda, looking to shut down online voices they dislike or disagree with.

But the worst of the lot are thugs who want to turn your computer into their spam-distribution center, your website into their virus-distribution center, and your identity into their profit center.

Having a large number of suspected malware links suddenly appear in the middle of the night is a very bad sign, but worse would be to have an infected site and not know about it at all.

With all the sites I design, I take steps to keep the bad guys out, to raise an alarm if any get through, and to reverse any damage that might be done. Catching the break-ins early is vital, because a malware-infected website will be flagged by the search engines and removed from their listings. Users who attempt to visit the site may be blocked by their own browsers with a scary warning page identifying the site as infected or suspect. If an infected page isn’t disinfected and restored before it gets blacklisted, that entire site may be blocked for years by safety filters on school, library, and workplace computer networks.

So early on Sunday morning, I was under the gun.

Having so many bad links on so many unrelated sites was something I’d never experienced. Was it an infestation? Had the servers been compromised?

Some of the suspect URLs were spammy comments on blog entries–easily deleted, with future occurrences prevented by filter settings and CAPTCHA–but other suspect URLs seemed to be legitimate page content. Had somebody done a search-and-replace on links stored in the database? There was no way to tell where the links were even going to, because they had been obscured with a popular URL-shortening service.[1]

malware warning

Be afraid. Be very afraid.

The fastest way to tell if this were a genuine problem would be by clicking on a few of the suspect links. If my browser landed on a page that gave me a computer virus, I’d have my confirmation. I almost did it too, that early in the morning, before a cup of coffee to knock some sense into me. I had a cursor poised over one of the links for a few seconds before I pulled myself back from the brink.

Instead, I kept plugging away. And speaking of plugging, some of the suspect URLs were within plugin files on the administrative side of the websites–the part that ordinary users never get to see. Why would a hacker put a link into the readme file of a plugin folder that nobody get to click? Had the plugins themselves been compromised? Were they providing somebody with a backdoor into the application itself?

It was curious that all the suspect links were obscured by the same URL-shortening service. As it turned out, that was the key, because it was that service which had been temporarily flagged by the malware detectors at Google and Firefox.

The issue was already being discussed and debated on security forums across the internet. Lots of webmasters were experiencing the same problem, sharing their results, and coming to the same conclusion. Our sites had not been compromised. Our links were safe. No further action was required.

The problem was soon resolved by the URL-shortening service, and most users never realized there had ever been a problem.

The web was safe again…at least for now.

[1] Here’s something fun I’ve learned this week: Add a + onto the end of any shortened URL and you will be taken to an intermediary page on the site, identifying the target page and some statistics about the link. That’s a good way to check any such link without endangering your computer, and would have saved me a bit of time on Sunday.

Posted in Security
Tagged with: , ,

Leave a Reply