Website hacking (cracking) is a widespread phenomenon – if you haven’t been a victim yet then it is only a matter of time. This article looks at a couple of examples of cracker victims.

I would imagine that every webmaster must have been the victim of a malicious cracker attack at least once in their online life.

I’ve been the at the receiving end of such unwelcome attention twice in the past. The first time was in 2005 after the bulk of developers left Mambo to join Joomla – I think perhaps I was the only person not to follow and continued using Mambo CMS. Within a few months a group of Turkish cyber-yobs defaced the site – and if they get into one site on a directory, they then rampage through the lot.

A few months ago I feel victim to a link injection attack. I noticed it pretty much as it was happening as the offender left quite blatant links in the footers of my sites. It was a nuisance, but I got the problem sorted after a few hours.

In this latter case I think it was because of an outdated WordPress script – crackers will jump on a known security flaw in a popular CMS or blogging platform.

I’ve even heard of an attack where a cracker slipped into the victims site and then deleted everything – including the backup.

This is one reason why I back up my entire home directory at least once a week and then download the lot onto my own hard drive.

During the 2003 invasion of Iraq there were countless websites being broken into with pro or anti-war slogans subsequently left on their homepage.

Link injection, rather than defacement, is another form of cracker abuse.

The vast majority of webmasters and practitioners of SEO acquire their incoming links in a honest manner, but due to the sums of money available for reaching the number one spot for certain keywords (Viagra and porn for two) nasty people have been illicitly cracking open websites and inserting links using this criminal method.

Cracking open a website to insert links is a big problem across the World Wide Web – this isn’t even blackhat SEO, it’s criminal SEO!

It isn’t always easy to spot when your site has been at the receiving end of a link injection attack as a clever cracker will disguise their links.

The other day I was examining the website of some nearby web design companies and agencies. I was looking at the pages indexed by Google for BrightCherry.co.uk and I noticed pages for Honda car parts listed.

Links such as this:

www.brightcherry.co.uk/reciva/recivahomepage2/images/bubble/hffvb/quarter-mile-time-honda-silverwing-scooter.html

www.brightcherry.co.uk/reciva/recivahomepage2/images/bubble/dhxtq/hood-1995-honda-accord-6-cylinder.html

www.brightcherry.co.uk/reciva/recivahomepage2/images/bubble/tpduf/buy-hydrocodone-without-prescription.html

That’s weird for a web design site, I thought.

Clicking on these links then redirected me to hardcore porn sites.

It was immediately obvious that BrightCherry had been cracked open and an investigation of their code confirmed this – there were a lot of links in the HTML code but hidden from the human eye by the CSS display property.

In this case it seems that the attacked website was handcoded with PHP rather than it relying on an CMS script.

I was surprised though that the website still had a PageRank of 5 as cracked websites are penalized by Google pretty quickly – it must have just recently happened.

I emailed the webmaster to inform them of matters.

So you must keep a very close eye on your websites. Constantly check your Google Webmaster Console as they will tell you there if you are linking to dodgy places and do your best to keep your blogging or CMS script up to date with the latest security updates.



By: Andrew Walpole

About the Author:

I have put together a list of some basic, more advanced and fun google hacks to help improve and refine your search

An asterisk (*) is used represents any wordGoogle advanced operators help refine searches.

The plus sign (+) is used to force a search of a very common word for example “the” . Use the minus sign (-) to exclude any term from your search. Dont put a space after these signs.

Searching  for a particular phrase, put double quotes(” “) each side of the phrase.

A full stop (.) is used to represent any single character.

More advanced operations need to use a syntax :

operator:search_term

Again don’t put a space between the operator, the colon, and the search term.

The site: operator is instructing Google to restrict a search to a specific web site or domain. Type the website URL after the colon.

The intitle: Google  searches for a term within the title of a document.

The filetype: operator instructs Google to search only within the text of a particular type of file. The file type to search must be supplied after the colon. Don’t put a full stop (.) before the file extension.

The inurl: operator instructs Google to search only within the URL (web address) of a document. Place your search term directly after the colon

The link:  Google  searches within hyperlinks for your particular search term.

The cache: operator displays the version of a web page as it appeared when Google crawled the site. Type the website URL after the colon.

And now for some fun ones

Type xx-klingon in google and click I’m feeling lucky (http://www.google.com/intl/xx-klingon/) believe it or not this is google in klingon!

Type Google Easter egg in the search box and click I’m feeling lucky (http://www.google.com/Easter/feature_easter.html) Help the google easter bunny catch the easter eggs.

Type Gothengine in the search box and click I’m feeling lucky ( http://www.gothengine.com/ ) Google gothic search for goths and emos.

Others include elgoog, google santa and google loco.



By: Dermot Rincon

About the Author:

WordPress bloggers beware because you can be attacked and hacked due to vulnerabilities in the WordPress platform. This article covers what’s happening and then gives you 12 ways to avoid it from happening to you.

That’s right my friends WordPress blogs are being attacked, hacked and redirected to other websites without the owners of the blogs being aware. Sounds scary doesn’t it? Imagine if you had a blog or website earning you hundreds of dollars daily!

Let me back up for a moment for those that aren’t in the know:

It all started for me on June 11, 2009 when I received a desperate call from one of my friends that runs a very successful, well-known and profitable wordpress blog.

They were almost in tears because the wordpress attack and hacker used a loophole in their self hosted blogging platform to accomplish two tasks:

1) Re-direct the traffic away from his wordpress blog to another website that was full of links to different affiliate products

2) Replaced all of his static websites using Iframe redirection to erectile dysfunction drugs and other pharmacy type websites.

How did the blog owner find out? One of their readers clicked on a link in the blog to read a post they were interested in and they were taken to an affiliate website that had nothing to do with the topics being discussed on the blog.

Thinking it was just an error they tried again and was taken to a completely different website than they were directed to the first time. That sent up red flags for the reader and they contacted the owners of the blog.

The really sad part is that by the time the owners of the blog were able to correct the wordpress attack and hack they had lost approximately $700 in sale that day alone. What’s worse is that here we are exactly a week later and they are still working on repairing the damage done to their static websites.

What can you do to protect you name, brand, reputation, revenue and WordPress blog from being attacked and hacked?

1. Secure Your WordPress Database -

Create a database for WordPress. WP uses only a few tables but creating a whole database just for the blog is more likely to limit its access.

Create and grant limited access to a database user. Create a user to access this database only and grant limited access to SQL commands in the database (select, insert, delete, update, create, drop and alter).

Pick a strong database password. Make it as random as possible since you don’t have to remember it.

2. Populate wp-config.php Properly – Use WordPress secret key generation tool to generate random WordPress cookies. These keys are used to insure better encryption of information stored in WordPress user’s cookies.

You also want to modify the WordPress table prefix to something other than wp_ by adding random characters and numbers to the end of wp, such as wp64mlm_manual.

3. Replace the Default “admin” Username – Fantastico users are able to pick admin user and password as part of the installation process. Replace the default so that “admin” user name is now myadm instead of admin.

4. Pick Secure WordPress Password for “Admin” – Your password should combine uppercase and lowercase characters and include numbers.

5. Use Secure Login via Encrypted Channel – WordPress bloggers who have SSL enabled for their domain should use that encrypted channel to access their WordPress Dashboard. You can force admin sessions over HTTPS by setting the FORCE_SSL_ADMIN variable in wp-config.php file to TRUE.

6. Upgrade as New Version Becomes Available – WordPress bloggers should upgrade once newer versions are issued because the upgrades address know security vulnerability issues.

7. Update Word Press Plug-in’s – It only makes sense to do so once you upgrade to a newer version of WP.

8. Backup Your Database and Files – Install a plug-in or use cronjob to create backups of your wordpress blog database and files on a regular basis.

9. Disable Directory Browsing – By default in most hosting, indexes of directories are shown in web browsers revealing any content of a directory that has no index.html or index.php. You can modify this behavior with Apache by adding a line of code into the .htaccess file in the root directory.

10. Protect WordPress Administration Files – WordPress administration files reside in wp-admin directory of your WordPress blog. You may use .htaccess to restrict access or allow only specific IP addresses to enter this directory and file. You may also allow access from a range of IPs by way of mod_access.

11. Restrict File Access to wp-content Directory – The wp-content directory contains your theme files, uploaded images and plug-ins. WordPress blogs don’t access the .PHP files in the plug-ins and themes directories via HTTP. Restrict wp-content by way of .htaccess so only the following files can be accessed image files, javascripts, and CSS preventing people from accessing any other files directly.

12. Hide The WordPress Version in the Header Tag.

These practices are nothing new and WordPress has been telling their self hosted bloggers that they should be implementing these tactics since day one.

Now the wordpress attack and hack is in full effect and millions of bloggers are going to wake up one day and find that all their hard work, efforts and revenue is gone.

I beg all WordPress users to take emergency steps to protect themselves starting today! While I have listed what can be done in this article there is so much more that wasn’t covered so I highly recommend that you take the time to research the resource I will mention in my bio below because it is how my friend and I are now protecting ourselves from the WordPress attack and hack.



By: Paul Hackett

About the Author: