[update] Pokitto website was sitemap spoofed through an old inactive ModX install

jonne · September 2, 2018, 7:11pm

Hello all

Today @Hanski alerted me to google search informing that “your website may be hacked”

And indeed, there was script injection but it had been done on non-active http pages. Due to the .htaccess rerouting all traffic to https no-one should actually have come across any compromised content (fake North Face clothes, Viagra etc etc).

I’ve run the site through malware checks, and they come out clean. The only thing that really is affected seems to be the result that google search gets, since it crawls through pages that are normally not visible.

I’ve also taken pokitto.com front page down for safety.

I’ll be going through the non-active pages and remove any bs.

Jonne

edit: talk.pokitto.com runs on a completely different server and hosting, has not been affected in any way

Haunebu123 · September 2, 2018, 9:21pm

Hello,

just for info, i saw the “your website may be hacked” message since August 28, `18 when i ordered my Pokitto with credit card. I hope everything will be fine

jonne · September 2, 2018, 9:27pm

Hello!

Thanks for that info. It seems that the “japanese keyword hack” in question is only messing up the google search results and giving that error message.

I have been going through the .htaccess and php files on the site and I have not yet seen any evidence of those scripts on the site itself.

If they were indeed running, according to the stuff I’ve read, you should have gotten redirected to some fake goods pages. But I haven’t noticed any such activity / have not been reported anything like that.

EDIT: and, paypal and braintree payments are handled off-site by paypal servers. So credit card details are never handled on my site.

The only issue that remains is that I need to clear the warning from google search.

Jonne

Haunebu123 · September 2, 2018, 9:40pm

Thank you, that is reassuring.

I dont noticed any fake goods pages in context with my Pokitto order

Is it possible to get the tracking nr. of my Pokitto to see where it is now?

jonne · September 2, 2018, 9:42pm

Yes, sorry for not sending it sooner. I will PM the link to you in a few minutes

Haunebu123 · September 2, 2018, 9:44pm

no problem, thank you

jonne · September 2, 2018, 9:48pm

I think I have found something that may be the cause of the hack message

I had (yes yes I know I know) a previous install of ModX on this server in a different directory - you would have not navigated through it, and those pages were not served. But Google search crawls through everything on the website and finds them.

It seems that this ModX directory may be the cause of the alert. I have not found anything suspicious on anything in the current wp installation.

I am still verifying that.

Haunebu123 · September 2, 2018, 10:07pm

Hope you can get rid of the hack massage, may small script code bug by this cms who knows

jonne · September 2, 2018, 11:09pm

I think I found the bastard

Looking at error logs, I find lots of

[02-Sep-2018 18:31:33 UTC] PHP Notice:  Undefined index: HTTP_REFERER in /home/smultron/public_html/core/xpdo/changelogs.txt on line 666
[02-Sep-2018 18:31:34 UTC] PHP Notice:  Undefined index: HTTP_REFERER in /home/smultron/public_html/core/xpdo/changelogs.txt on line 666
[02-Sep-2018 18:31:46 UTC] PHP Notice:  Undefined index: HTTP_REFERER in /home/smultron/public_html/core/xpdo/changelogs.txt on line 666
[02-Sep-2018 18:40:06 UTC] PHP Notice:  Undefined index: HTTP_REFERER in /home/smultron/public_html/core/xpdo/changelogs.txt on line 666

HTTP_REFERER in a txt file? What?

Until I look at the index.php in the old ModX root:

<?php
//installbg
$rifilename='/home/smultron/public_html/core/xpdo/changelogs.txt';
require("$rifilename");
//installend

So there you go. Cleaning up now & checking that no such avenues are open anymore

Pharap · September 2, 2018, 11:31pm

How fitting. :P

jonne · September 2, 2018, 11:39pm

Methinks it is not a coincidence

jonne · September 2, 2018, 11:56pm

Just ran a filecompare against the wp install from december. No changes in any of the core files.

I think I am ready to conclude that this was Google search crawler talking to an old modx installation that had been hit by some sort of a scanner with knowledge of a new exploit

That should teach me not to leave old stuff on a server.

EDIT: the way the hack modified the Google Search results was to spoof the sitemaps:

					 <loc>http://www.pokitto.com/h189180-dxorqyfmqyvn-aphkrwfcxpfeeeshby/</loc> 

					 <lastmod>2018-08-08T21:15:19-05:00</lastmod>   

					 <changefreq>daily</changefreq> 

					 <priority>0.9</priority> 

					 </url>

				     <url>

					 <loc>http://www.pokitto.com/h189680-tvswkwli-vghyiccwyqbnyljc/</loc> 

					 <lastmod>2018-08-08T21:15:19-05:00</lastmod>   

					 <changefreq>daily</changefreq> 

					 <priority>0.9</priority>

EDIT: just for your interest, these pages never existed. They were only in the sitemap, that google was reading. The creator of the hack got some kind of money for referral links. That was the idea of this entire thing.

Haunebu123 · September 3, 2018, 7:36am

Good work, well done Mr. Pokitto

jonne · September 3, 2018, 8:16am

Thanks. I have requested Google to review and rebuild search result, but according to documentation can take weeks

So we will have to endure “this website may have been hacked” for quite some time still

Special thanks to @Hanski for alerting me to the problem

Haunebu123 · September 3, 2018, 10:10am

Don´t be sad/angry Mr. Pokitto, i saw the “hacking message” and it don`t held me back last week from purchase a Pokitto

Hanski · September 11, 2018, 7:58am

I see no more any problems in Google search (“pokitto”)

jonne · September 11, 2018, 8:06am

Thank god for that. I can say it was an extremely unpleasant experience.

I sent several requests to Google, and luckily the system works.