As you may have gathered, our site was hacked last month and malware was found. The trouble started shortly after we received an email from a -clearly- very disgruntled IME, referring to his multiple negative reviews on our site’s “rate an IME / IME List“, and stating that we caused upset in those injured workers who were due for an IME assessment with this man. He demanded an apology and requested we delete the reviews pronto…or else… Coincidence? Maybe…
For OBVIOUS reasons, we won’t publish who this IME is, nor the full email we received shortly before malicious code was injected into our IME rating functionality.
Holy Schmoly- our site was hacked
The on-line trouble started with time-outs, that is we and fellow commentators kept having our comments timed out and were unable to post our comments, unless they were 3 words short. Soon after, we noticed (and were notified) that there was an issue with our “IME List” page, not displaying properly, then vanishing. The cherry came next: we were locked out from the website’s administration area, and were unable to view our site online (similar to an IP ban).
We obviously apologise for the issue and inconvenience and have spent the past few weeks getting it sorted. Yes, WEEKS!
Why did it take so long to restore a workcovervictimsdiary?
Before we did or could do anything, we had to determine if our website had actually been hacked. These are only a few common ways to tell if a website has been hacked. There is – generally – no single definitive indicator or sign. At times it will be obvious, but this isn’t always the case. There are commonly several possible signs that indicate that a website has indeed been hacked and these include for example: a defaced homepage/site (homepage or website has been visually changed by non-authorised individuals); inability to login to administrative areas; a very slow website; receiving warnings from your antivirus/browser of viruses or malwares from your website; search engine notification (you are notified by a search engine that your site may have been compromised – or your website’s search results show incorrect information, often advertising products that are not yours.), and a range of possible other problems such as our “time outs”, inaccessible pages (such as our IME List) etc.
Then we had to find out how our site was hacked. Finding out how we were hacked obviously helps to address security flaws. Some common ways you were hacked include:
- Stolen login credentials: the site’s admin login credentials were somehow stolen. Many times by methods like social engineering, intercepting unencrypted emails, brute force cracking, etc. Thanks God, that was not the case.
- Vulnerable script: Scripts on a website are sometimes vulnerable to attacks like code injections. Make sure scripts are always updated, like addons, modules, themes, etc. If your website has file upload functionality, a malicious file may also have been uploaded. In our case and on this occasion we managed to trace back the attack to a malicious code injection into our rate an IME functionality.
- Virus & malware on local machine can also be the cause: A virus or malware on your local machine may have stolen login credentials or other sensitive material that may have compromised your website. Always make sure your computer is clean of viruses and malware. Ours was clean.
- Host/shared server hacked: Your host/provider was hacked, compromising your information. When you’re on a shared server – if the others on your server has been hacked, there is potential that you may also be a victim. Again, that was not the case; we were the sole victim.
So after assessing the situation, we all came to the conclusion that our website had been hacked. So what do we have to do then?
We had to inform our host service provider and viewers/users that our site had been compromised.We tried to let our readers know aworkcovervictimsdiary had been hacked and even managed to upload a message on the home page. Then the dreaded Backup started of all our website’s content. Thanks God we did keep multiple copies of our site’s content (on and off line) just in case. But still…
At this point we had to not only work with our host provider but also contact a “professional” ( someone who is familiar with hacks and recovery procedures). The long recovery process started:
Removing all of our current website content. We had to delete everything from our root folder to ensure all malicious material has been removed.
We also had to delete all cron jobs (scheduled automatic system maintain and administrative tasks) located in our web hosting control panel.
We had to check all our website databases to ensure they had not been compromised. Those who were (rate an IME function) had to be cleaned, by restoring a clean backup before using again. And finally we had to reinstall our site -Upload a clean copy of our entire website. We had to resort to reinstalling our site’s content from a clean back-up, just to make 100% sure the malicious code was gone.This also included having to update, reinstall and reconfigure all our site’s scripts, ensuring they’re connected to the proper databases and so it is that – coupled with one of us moving house and another one going through full litigation of their claim – it took yonks!
Anyhow, we have now moved to a new cloud server and went back to a mid June backup to ensure none of the Malware was present. Again, we apologise for the inconvenience caused but do hope you will take the time to be a part of our community of workcovervictims again!
Best regards and thank you for your support!
[Dictated & manually transcribed on behalf of WCV]
This post has been seen 2291 times.