Hello,
I run a websites on graphics design, greeting cards and website design. Most of the items are free for visitors and I make my money from advertisement using Adsense. It was not a huge amount but suffice to cover all my hosting and domain expenses.
It was going fine till few months back. One day I noticed a huge surge in my Adsense revenue which was almost 6 times the normal. I was wondering how, but was quite happy. It lasted for 4-5 days and finally one day, it went all the way down to zero! I checked the website to see if something is wrong and found that my site was removed and my hosting provider had put a notice asking the site owner to contact them. I thought I ran out of monthly download limit or something and quickly called them up.
I was shocked when they informed me that they took my site offline as I was using the website for sending spam email to others. They received complaints from other ISPs and decided to take my site offline. I had hard time convincing them that it was not me nor with my permission. Finally I got help from their technical department who agreed to check the server logs and analyze it for me. As I had no access to the site, I couldn’t do anything. After few hours they informed me that some spammers were using my site to spam millions of others using a security loop hole in my PHP script. They identified the IP address and traced it back to Tehran. The host emailed me the log file for the last 48 hours for my analysis.
I contacted one of my friends who did the PHP scripting for my site. He quickly figured out that it’s a XSS security issue in my script and came up with a solution. I went back to the hosting provider and literality begged for FTP access to host the patched file. After a day or so they agreed to give access my website on the condition that I will not host the infected php script anymore.
I thought it’s done, but it wasn’t. Major email providers like hotmail and yahoo black listed my site for spamming. (To my surprise Gmail didn’t). The greeting card sending functionality of my site was almost down as the script couldn’t deliver the emails not even to the spam folder. Hotmail and yahoo simply trashed the emailed considering it’s a spam. I wrote to the customer support guys at Microsoft and they asked me to add SPF records in my domain. Yahoo never responded to my queries. I did everything I could possibly do, but couldn’t restore the IP reputation back to normal till now.
That’s not all; the worst was yet to be over. After about two three weeks after this incident, Google blacklisted my site (People call it sandboxed) saying that my site host malware. After an inspection I found that it’s true and found a ‘text file’ with some PHP code in one of my image folder. My friend checked it and said its some simple PHP script dropped by the attacker and might be using this to conduct XSS attack on other sites. I removed the rs9.txt file from the image folder and applied for re-inclusion. I never got any reply but the site was back on the listing after few weeks. Thank you, Google.
All in all spend more than two months days to bring the full site back online and that too not completely. From this lesson I learned a lesson that when ever there is quick surge in my visitors count, I look for reason and analyzed the logs for any type of malware; the importance for log analysis.