I woke up to find that the hack had been reapplied and my revenue was again going to someone else. I changed the publisher ID back and made sure that all the files on the server were read-only to the public. An hour latter the AdSense hack was back again!
At this point I enlisted the help of my hosting company's support team. I use HostGator and have been extremely pleased with them. All the server problems I'd been experiencing with 1and1 disappeared when I switched to HostGator. Their support has been exceptional, every time I've need help, Hostgator's techs have gotten right back to me with a working solution. This time was no exception. Within four hours they had scanned my server space, finding and removing a couple of rouge scripts that allowed hackers shell access. They also pointed me to a security advisory about a vulnerability in Sphider, the open source site search engine that I use on my mobile sites. That is awesome customer support, especially considering that I'm using one of HostGator's cheap shared hosting plans.
The rouge scripts had been created in the Sphider directory structure making it likely that the Sphider vulnerability was the source of the attack. Sphider doesn't adequately sanitize user input making it possible to execute arbitrary shell or SQL commands using a specially crafted search query. I found a user submitted patch for the issue in the Sphider forum. The patch was incomplete and didn't work out of the box, but that was fairy easy to fix. It modifies Sphider to use PHP's mysql_real_escape_string() function to escape special characters in all user input. I've placed a copy of the one Sphider file that needs to be fixed on my server for your convenience. I registered for the Sphider forum and tried to post it there as well but I keep getting an error.
If you are running Sphider I urge you to patch your installation as soon as possible. .Here's how:
- Find search.php in the root of your Sphider installation and make a backup copy somewhere so you can recover if my patch does anything unexpected.
- Download search.php.txt
- Rename search.php.txt to search.php and copy it the the root of your Sphider installation.