Earlier this week schiffner.com was hacked. Though the method of entry was rudimentary the results of the unauthorized and malicious access were quite serious. The intruders inserted malicious code into dozens of pages throughout the site. This code redirected visitors to javascript which would then infect their computer with a trojan horse. The hack was not limited to schiffner.com. It extended to all of Cathy and my sites — cathyclarke.com, drinkorbedrunk.com, mokeymonkey.com, and no-bling.com. To explain exactly what occurred I’ll step back to May. After years of hosting our websites and email in-house the costs required to sustain the traffic we were receiving had increased to a point that was not financially sustainable. Although I display ads on this website and I sell premium version of my software the revenues associated with this site are actually quite small. Taking the sites offline was never considered. After reviewing the options available I decided to move our sites to a shared host. The transition was pretty much seamless and the vast majority of visitors were never aware of the transition. That was until Sunday August 5. Visitors of any of the above sites that were running updated antivirus software were not greeted with the site they expected, but rather a virus warning and a blank page. It’s an unsettling encounter for visitors and it’s even more unsettling to me. Quite frankly I’m embarrassed. To a web-developer an intrusion like this is the equivalent of coming home to find burglars in your house. I’d like to sincerely apologize to all of our visitors and customers.

So how did they get in?
Ah…the joys of shared hosts and relying on third parties for security. Under a shared host there is a master account. The master account has access to entire file system for each website and service hosted with that account — databases included. Somehow the credentials for our master account were compromised. This account had never been accessed from public hardware and utilized a strong alpha numeric password containing uppercase and lowercase characters in addition to special characters. The password was not in use anywhere else. This was the first and only account it was used on. It’s not easy to guess — a dictionary can’t be used and brute force attacks would take a significant amount of time. How the password was compromised I do not know. I can only guess there was an undisclosed security breach at the host.

How were visitors affected?
The vast majority of users were simply unable to access the site thanks to their antivirus software blocking access. If you visited any of the above sites between Sunday, July 31st and the morning of Wednesday, August 3rd and did not receive a virus warning it would be safest to scan for malicious infections. There are two freely available pieces of software I’d recommend using to scan for infections:
SUPERAntiSpyware
Malwarebytes Anti-Malware
After combing through access logs it does not appear as though any customer data was compromised. There is no record of a database dump or attempts to access purchase histories. Because I process all payments through PayPal no credit card information or sensitive billing account information is stored on our site. Customers can have the peace of mind that there is no possibility of fraudulent charges as a result of the intrusion.

What has been done to clean the site and prevent this from happening again?
The truth is it’s impossible to guarantee there will never be another intrusion. Our host was notified of the intrusion. The entire contents of the the hosting account were scanned, examined, and cleaned of any of the malicious code inserted by the intruders. I have installed third party monitoring software which automatically scans the site for changes and notifies me whenever a malicious activity is detected. The password for the master account will be regularly changed and its complexity has been increased. All of the software on our sites has been checked for new versions and updated as necessary. It’s my hope that the combination of these actions will prevent a future intrusion.