Beep bop boop lets go log into GMail and check out some emails.
New Owner for BradGibala.com?
Who is this other Brad Gibala who would take ownership of BradGibala.com? I thought I was the only one.
Hmm. That person’s name is not Brad Gibala. It’s xjbbgvql. What kind of name is that?
What’s this other email from my hosting provider saying they detect malware on my site?
Dammit. I’ve been hacked!
What are the up to 250 visitors a day who visit BradGibala.com going to do with their lives?
A Long Time Coming
I’ve been building websites and blogging for over a decade and not once to my knowledge has a website been hacked. And this is with 20+ blogs running at one time during my peak years.
To think this hasn’t happened already is something. Especially since I haven’t done that much extra security. Same password on most of my sites for 5+ years and WordPress automatically updates when a new version comes out.
Assessing The Damage
Whoever did the hacking went right to work. And it wasn’t just this blog they attacked. It was my entire hosting account which had malware injected into it.
Over 3,000,000 new pages were created on this site alone. Amazing!!
It was so many new pages that my hosting provider shut me down as I went over my allowable usage for the month on October 3rd. I’ve never been close to reaching half of that in a typical month.
It was not visible to the naked eye but when I searched for my blog on Google it was picking up some Japanese on my home page and hacked pages. Instead of being Brad Gibala who likes golf and fitness I was now a KS-06 Engineer who sold 20 Piece Maintenance Tool Kits from Fujisawa, Japan.
You know, the kits look quite handy.
How It Went Down
Everything points toward the hacker accessing my hosting account through an old theme on a niche website I have not updated in years. WordPress was updated but the theme had not been brought up to new WordPress theme standards.
I never touched the theme because I had spent a lot of time getting it to look that way years ago and it worked for quite a while bringing in affiliate sales.
I am not sure exactly if this was how but my hosting provider told me there were malware files on that one site to start with and it spread from there eventually accessing the main website on my hosting plan which is BradGibala.com.
All of the other websites were considered sub-domains on my hosting account which means they share the bandwidth, etc.
Where To Start?
Thankfully my hosting provider was a big help. I’ve been using SiteGround for a couple of years after moving from HostGator and the customer service they provide is fantastic. Tickets are replied to in less than an hour and in most cases there is someone there to chat with immediately with a solution to a problem. They told me which files were malware and to delete them.
But that was not good enough in the eyes of Google.
Turns out the Googlebot was picking up Japanese hacked content that SiteGround could not. Google calls it the “Japanese keyword hack”.
First thing I had to do was delete “xjbbgvql” as an owner. Bye Bye Son’ ah Bitch.
From there I had to delete the 5 sitemaps they uploaded to my Google Webmasters account. I don’t believe they were able to access my Google Accounts.
How they verified ownership was by creating a fake Google Webmasters account, getting the HTML code, inserting the file into my blogs header, and verifying it in the fake Google Webmaster account.
Since they verified their ownership they could upload sitemaps with millions of pages each with thousands of links on each page. The internal links these pages created was equally impressive. I like my home page and all but not 79k times.
All of those pages and folders were deleted. But man that’s some serious Blackhat SEO sort of shit all in the name of trying to game Google.
I thought I did everything possible to get rid of the spam from my hosting account but Google denied my request to allow your good friend Brad Gibala back into their search results. They put me in timeout while I fixed things.
It wasn’t until I followed the steps in Google’s video describing how to deal with the damage from spam did I start making some headway. It was a big help. First thing I needed to do was “Fetch As Google” to see what the homepage code looked like.
In the video they talk about cloaking and to look in the header files. SiteGround ran my site through Sucuri and they could not detect any bad files.
But when I searched for what the index.php and wp-blog-header.php files were supposed to look like and compare it to what I was seeing in the File Manager inside my hosting account is when I saw something fishy. The two were not the same.
And when you switch to the editor in the index.php file it looks like this.
Wp-blog-header.php had the same shit in it. I confirmed with SiteGround and they replaced the files while I was on chat with them.
After replacing those two files, then “Fetching As Google” in Webmasters, I could now see the Japanese content was gone.
I sent the reconsideration request to Google to have your boy back in search results. The next day I was.
“You’re either winning or learning” is an inspirational message I read on a coffee cup one time. And this is one of those situations where I was learning.
It’s been awhile since I played around in cPanel or used phpMyAdmin to snoop around in databases. Neither of which I find to be fun but its something you should at least be familiar with when running a blog.
The hack happened at an interesting time as GoDaddy was sending me emails saying a bunch of domains were about to auto renew. In those domains was the one that was hacked.
Looking through the databases and files for the niche sites I haven’t touched in years for malware or bad files struck a nerve with me.
Why am I keeping these websites?
Most of the domains were “exact match domains” for keywords or phrases that used to bring in some traffic back in the day. But not anymore.
We’re talking about ten websites that made $100 to $1000 a year through affiliate sales or ad clicks. But that too doesn’t happen anymore. Many haven’t made a dollar in years.
And I have no interest in updating them or paying someone to do so. Basically, they are dead.
So instead of going through all those databases and files anymore I checked the delete box next to the folder holding all the content in those sites and clicked yes when it said do you want to “Delete All”.
Many of these sites had 10 to 50 posts so we’re not talking about a lot of content. But this action kind of continued on with what I did last year in consolidating a couple of blogs I had been running into this one. Cleaning up more of the internet if you will.
What It Accomplished
I now have 10 less blogs that are doing nothing for me to manage or worry about getting hacked. It also saved me over $130 a year in domain renewal fees. None of which were worth anything anymore.
I’m still extremely butt hurt about all of this because SiteGround recommended me downloading AntiVirus software to my computers and seeing if they were infected. I have an iMac and MacBook Pro so of course I’ve never used those before. Because, you know, those sorts of things like never happen to Apple products and stuff.
I followed the steps in this video recommending which programs to use on Macs to remove Malware, Viruses, and more in 2018.
After spending many hours downloading and running through millions of files between both computers it found one bad file between them. Winner Winner Chicken Dinner!!
Sequence Of Events
From the moment I received the new owner email to sending my second re-index request was two and half weeks. We went on a five-day trip to Florida to see Andrea’s brother and his family which added time due to me not opening my laptop once.
I did not think it was a big deal after cleaning everything before we left but as I said above I missed a lot. Google sent me other emails alerting me to an increase in 404 pages and the hacked content. Thanks BIG G.
Check out some of the behind the scenes numbers before, during, and after the hack.
Let’s Get Back To Blogging
Just let me check everything again. Head on over to Google. Type in Brad Gibala and let’s see what pops up since even though everything looked good two days ago I want to see how the blog is being re-indexed.
Yup, I’m a KS-06 Engineer again.
What the fuck is going on here. I thought this shit was clean. Back to SiteGround I go telling them I got hacked again. And back to them telling me everything looks good on their side…but its not.
I head back to the same files that were hacked and sure enough that code is back. So I delete and replace again. Mind you that I’ve deleted entire blogs from my shared hosting account and changed every password possible.
And I head to Google to search for anything that can help my WordPress blog from getting hacked. After doing a little bit of digging I find Wordfence.
With 2+ Million downloads and basically a 5 Star rating I install it and see what the free version can do.
Wordfence found 7 additional files with malware or spam injected into my site that SiteGround did not detect. It also told me I should probably delete a couple of plugins that haven’t been updated in years even though they still work.
Appears there were even some old core files from previous versions of WordPress that were left behind and malware was injected into those. All sorts of fun!!
I logged back into Google Webmasters and “Fetched As Google” again. I am not a KS-06 Engineer.
Lets Hope So
I would like to tell the Earth that I have retired from being a KS-06 Engineer and have no intentions of ever being one again.
If I shall ever become one again I will do my best to burn down the internet.