{"id":5493,"date":"2009-10-27T12:19:36","date_gmt":"2009-10-27T19:19:36","guid":{"rendered":"http:\/\/wapreview.com\/?p=5493"},"modified":"2019-12-31T16:15:52","modified_gmt":"2020-01-01T00:15:52","slug":"hacked-check-your-adsense-publisher-id-and-3rd-party-scripts","status":"publish","type":"post","link":"https:\/\/wapreview.com\/5493\/","title":{"rendered":"Site Hacked? Check Your AdSense Publisher ID And 3rd Party Scripts"},"content":{"rendered":"

Sometime Saturday night Wapreview.com was hacked. The hackers didn’t do much damage.  Their goal was apparently financial gain rather than wanton destruction.  All that was changed was the  publisher ID in the JavaScript code for the AdSense block in the sidebar.  This meant that ad impressions and clicks were credited to someone else’s account instead of mine.  Ads continued to run and I probably would never have discovered it except for one thing.  Sunday evening I noticed that the ad’s background color had changed from the yellow that I use to white.  I checked my AdSense account discovered that my meager advertising revenue had dropped to zero.  I’m retired and rely on the ads on Wapreview.com and my other sites to supplement what I get from Social Security so I was  not amused.<\/p>\n

I restored the AdSense JavaScript and changed the passwords on everything associated with the site; cPanel, FTP, SSH, WordPress and the WordPress MySQL database (the AdSense code is in a WordPress sidebar widget and is stored in the database).    I also reported the issue to AdSense and received a nicely worded canned response in return.   I went to bed confident that I had fixed the problem and better secured the server.<\/p>\n

I woke up to find that the hack had been reapplied and my revenue was again going to someone else.  I changed the publisher ID back and made sure that all the files on the server were read-only to the public.  An hour latter the AdSense hack was back again!<\/p>\n

At this point I enlisted the help of my hosting company’s support team.  I use HostGator and have been extremely pleased with them.  All the server problems<\/a> I’d been  experiencing with 1and1 disappeared when I switched to HostGator.  Their support has been exceptional, every time I’ve need help, Hostgator’s techs  have gotten right back to me with a working solution. This time was no exception.  Within four hours they had scanned my server space, finding and removing a couple of rouge scripts that allowed hackers shell access.  They also pointed me to a security advisory<\/a> about a vulnerability in Sphider<\/a>, the open source site search engine that I use on my mobile sites.  That is awesome customer support, especially considering that I’m using one of HostGator’s cheap shared hosting plans.<\/p>\n

The rouge scripts had been created in the Sphider directory structure making it likely that the Sphider vulnerability was the source of the attack.  Sphider doesn’t adequately sanitize user input making it possible to execute arbitrary shell or SQL commands using a specially crafted search query. I found a user submitted patch<\/a> for the issue in the Sphider forum. The patch was incomplete and didn’t work out of the box, but that was fairy easy to fix. It modifies Sphider to use PHP’s mysql_real_escape_string() <\/a>function to escape special characters in all user input.  I’ve placed a copy of the one Sphider file that needs to be fixed on my server for your convenience.  I registered for the Sphider forum and tried to post it there as well  but I keep getting an error.<\/p>\n

If you are running Sphider I urge you to patch your installation as soon as possible. .Here’s how:<\/p>\n

    \n
  1. Find search.php in the root of your Sphider installation and make a backup copy somewhere so you can recover if my patch does anything unexpected.<\/li>\n
  2. Download search.php.txt<\/a><\/li>\n
  3. Rename search.php.txt to search.php and copy it the the root of your Sphider installation.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"

    Sometime Saturday night Wapreview.com was hacked. The hackers didn’t do much damage.  Their goal was apparently financial gain rather than wanton destruction.  All that was changed was the  publisher ID in the JavaScript code for the AdSense block in the sidebar.  This meant that ad impressions and clicks were credited to someone else’s account instead of mine.  Ads continued to run and I probably would never have discovered it except for one thing.  Sunday evening I noticed that the ad’s … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[51],"tags":[560,965,805,964],"_links":{"self":[{"href":"https:\/\/wapreview.com\/wp-json\/wp\/v2\/posts\/5493"}],"collection":[{"href":"https:\/\/wapreview.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wapreview.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wapreview.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/wapreview.com\/wp-json\/wp\/v2\/comments?post=5493"}],"version-history":[{"count":9,"href":"https:\/\/wapreview.com\/wp-json\/wp\/v2\/posts\/5493\/revisions"}],"predecessor-version":[{"id":21194,"href":"https:\/\/wapreview.com\/wp-json\/wp\/v2\/posts\/5493\/revisions\/21194"}],"wp:attachment":[{"href":"https:\/\/wapreview.com\/wp-json\/wp\/v2\/media?parent=5493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wapreview.com\/wp-json\/wp\/v2\/categories?post=5493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wapreview.com\/wp-json\/wp\/v2\/tags?post=5493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}