Wisetechie Blog : Ctrl your Tech Life

I am a part time moderator/web administrator on our unofficial college website. Last year our website had been hacked and some malicious script had been placed on it which was causing redirection of some Google referred traffic. It would not resend all Google referred traffic though, it even placed its own cookie in the malicious script to ensure that people are not sent to the offending site every time but only once every 86400 seconds.

For days I searched the internet desperately to find out if it was a known thing, most sites suggested it was a .htaccess attack, but I had already suspected that and our .htaccess file was squeaky clean. Just to be sure I also checked all the .htaccess files above and below out root level and they were clean. So I was sure it was a script. If your site is hacked via the .htaccess method, there would be entries like :

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://newaddress [R,L]

After the .htaccess files were found clean, I tried some workarounds to prevent the redirection, like setting server referrer variable to null and trying to make all URLs 301 redirects but that didn’t work since the script was still able to detect the referrer as Google and redirect the website to tinyurl4.info which probably paid them a lot to get this done. It would be sent to random addresses on the tinyurl4.info site. Since the site may be hosting malware, I would request you not to go there. So this method of cloaking the referrer at my side clearly wasn’t working.

Next I created a zip file from the offending folder of the site and downloaded the whole thing using my 3G connection photon+ connection (wanted to finish it off ASAP). Once the folder was downloaded, I ran a McAfee scan of the whole thing hoping that the anti virus would be able to detect the offending code as it would be obfuscated. But I was wrong McAfee was terribly incompetent. So it was plan B , I started searching for strings like .js and tinyurl4.info to try and find the redirecting code. Windows search wasn’t very helpful here and couldn’t even find base64 which was one of the strings I searched for and was a part of the offending code.

So now it was plan C , this one worked. I listed all files in the site which had been modified within the past one year. Here is where I was able to find the culprit. One PHP file global_lang.php  had been edited in 2009 while all its peers were not listed. I grew suspicious and opened the file. To my shock, horror and relief I found the following piece of code :

which when translated turned out to be malicious code. I am not displaying the malicious code here should you get any ideas. What it was doing was checking if the person was referred by Google, Yahoo etc. and if that was true and there existed no cookie it would redirect that person after setting a cookie. The cookie ensured that once a person was redirected to the fake site, he wouldn’t be redirected for some time.

I have listed these steps here so that webmasters might be able to get a hint of how to recover from this particular type of  injection on their sites. Ofcourse, always take backups, backups ensure you can just dump them on and the malicious code is removed.

Future Proofing

There is probably no way to protect yourself from the super hackers , however you can always take precautions. First and foremost, always take backups and multiple backups. you should ideally have 12 backups from the past 12 months.

Apart from backups, ensure that the permissions on your website are always set correctly. 777 is really the devil .Never grant write permissions to outside users. 755 for folders and 644 for .php files usually works. Incase you suspect hacking, contact your host at the earliest.

Also turn off all directory listing.

Hoping you found this article helpful

Bluehost had been my first ever commercial host and my experience has been well, mediocre. I wont call it a bad experience , neither would I say that it was a Bluehost nightmare. This is the most honest Bluehost review you will ever get from someone who was on Bluehost for around 2 years and had quite a few low and high traffic domains hosted with Bluehost. Being an Indian one is more likely to end up with shady hosts, but since my domains were doing pretty well I decided to go to Bluehost for stability and the price and reputation was good.

After moving to Bluehost, I experienced downtime the very 2nd day, pretty significant, I got in touch with the Bluehost live chat support (pretty useless most times) who told me (in different words) , This is shared hosting, we cant do anything about downtimes or server issues, please take your issues elsewhere and switch to VPS. I very honestly asked the support person that I am bringing downtime to his notice and he is asking me to shift, suddenly he became soft and told me I had the choice to switch to another host but they wont take care of errant sites on server and neither will they assure me that downtimes would be reduced. It was like downtimes are Ok.

Anyway I kept on with Bluehost as it was overall reliable, then came the next blow : CPU throttling. Its every blog owners nightmare. PHP scripts would routinely be timed out and every time a wordpress page would load, my account would be throttled to ensure their grossly oversold servers are ok. I tried everything, using super cache, cleaning databases, removing overheads etc. But none of these helped. In an experiment, I myself would access a cached age of my account and still find that on each pageload my account is throttled. Page source would confirm a cached page was served. I own small sized blogs and such throttling out was giving me nightmares.

I don’t care what Bluehost tells you but CPU throttling is a deal breaker for me, the site would become excruciatingly slow during access.

Then began the search for the new Cpanel host. Stablehost was suggested by my brother as it had an offer offering 75% lifetime recurring discount. Interesting i said but warned him that if its too good to be true, it sometimes is. So I started to find bad reviews about Stablehost but surprisingly there was no bad review of Stablehost on the Internet, only people praising their personal customer support. I was impressed and those who know me know that customer service should be really good to impress me .

So I have signed up for Stablehost and its been more than a week and haven’t faced a single issue yet, all websites were transferred to the new account and things seem to be running smoothly. However I hope I don’t have to eat my own words. The reason I switched was that unlike other hosts, I can take a 6 month contract, yearly contract etc. for the same rate so switching is easy.

The customer care has been prompt and smooth, maximum time taken to respond was 12 hours for a domain transfer request to be initiated, otherwise I would get a reply within 10 minutes. Such a nice standard of personal customer service is a refreshing change from the robotic customer care of Bluehost who would routinely ask me to cancel my account in case of any downtime and never once reimbursed me for downtime.

Stablehost still has a 50% off coupon running on their website (use BDAY or TOS, both work) and if you are looking for a good, friendly host that offers realistic hosting, please have a look at Stablehost . The 5 GB space 100GB bandwidth plan would barely cost you $36 for the year after the discount. That’s much cheaper than bluehost and other hosts and they dont grossly oversell like Bluehost.

P.S. : These are affiliate links, but the review is 100% original and not sponsored.

Before taking the leap and getting Tata Indicom Wimax Broadband, make sure to read the following :

The trail keeps getting murkier as I continue to press the Tata communications customer service for answers.  Here is stuff I have been able to uncover so far that should make you reconsider your decision to get Tata Indicom Broadband Wimax service , their more4sure offers are just bait to get customers for long term without the added constraint of having to keep them satisfied:

1. They don’t care about customer feedback. I have given them so much feedback on problems with their prepaid broadband policies but all I get are stupid answers regarding backend people and their engineering work (@Tata – please hire better engineers). I have been told not to complain about matters which are their policy. I asked if I could get in touch with anyone who can listen to and act upon feedback and someone who actually has power in the company, I was told the answers would be the same no matter who I call. So all customer feedback basically ends up at the same place.

2. Tata Indicom broadband prepaid wimax officially does not support VPN, so forget working on your office Network/RAS. This was confirmed by their customer service :

With reference to your mail, as per the resolution for the complaint number 1083xxxx regarding VPN Connection we would like to inform you that you account is Pre paid and we cannot provide the service without SIP .

Also notice the lovely English.

3. Tata Indicom Wimax will logout in 11 hours or 10 minutes : Here is another stupid feature implemented by an overzealous program manager at their company perhaps. The timeout for logging out your session is just 10 minutes of no activity. If your internet is not used for 10 minutes it will be logged out. Also there is an 11 hour full logout. Even if you keep using your account, you will be logged out in 11 hours no matter what.

Conclusion : Its imperative to consider the fact that all the above things are the result of only 1 stupid Tata Wimax feature i.e. the Javascript Login Page. If they could remove that and have automatic login for all users, things would be so much simpler for everyone. All the above problems will be solved. But the main problem is perhaps getting past the 1st level customer care to the people who actually have the power to take decisions.

If you know nothing about computers and just want to check your email etc., then this is probably the connection for you. but if you are a power user, give this a skip and get Airtel or MTNL.

If you have Tata Wimax and a postpaid/static IP account, please do not bother posting comments on this post, they will not be approved.

Tata Indicom clearly is the most idiotic company to have existed in the world. If disconnecting my wireline internet wasnt enough, if having a stupid login page for all prepaid customers wasn’t enough, their new Photon + service also gave away today.

These guys always pick the wrong guy to mess with, I break their incompetence publicly and that just embarrasses them.

I have been using the photon+ service for over a month now. Today suddenly my photon+ stopped working. I promptly emailed the customer care with the error I was getting. In the afternoon I get a call that some papers are missing in my application thats why the internet is now working. Sure enough I called the dealer with whom I had deposited everything, all papers had been sent to Tata Indicom.

Then later I got another call from these morons. They claim that I am on a 2GB plan and have accrued a bill of 8000 rupees and hence my Internet is disconnected. My current month’s usage is around 4277MB BTW. What the Tata Indicom billing system does is that is charges 2 rupees for every MB will your bill is generated. After that it deducts 10GB of usage from the chargeable amount and presents the bill. So the amount keeps on accumulating till the bill is generated. But their own customer care cant understand that. Moreover the number from which I had received the call is now switched off.

God Bless Them, sending them this link too.

Apparently to them 10240MB is equal to 2GB or 4277>10240 , either case maths lessons are needed by TATA.

I feel very guilty making this post while on a TATA Wimax (VSNL) connection. But the truth is that this service will eventually fail, I have almost half made up my mind to switch. Its not the the speed is bad or that connectivity is a problem. The biggest problem comes with the implementation of their network.

There is a serious issue with the login page, each user much go through a stupid login page to do anything. Moreover there is no port forwarding, therefore all torrent downloads are excruciatingly slow. For example, I was downloading a well seeded torrent at 6.5 kBps on my 256 kbps connection.

Another problem is no VPN, you cannot access your company’s VPN with the TATA Wimax account.

The point to be noted here is that none of these problems had existed with Tata Broadband’s original DSL.

I have been in touch with multiple engineers in TATA Communications over these issues, none were able to help me. All they would suggest was to purchase a static IP for 2000 rupees (am i nuts). MTNL gives one for free with its 256kbps plan. MTNL too has pathetic customer service though.

Lets hope some senior TATA Communications guy reads this and drills some sense into the stupid policy makers.

Ok, its been 4 days since i got this connection installed, and i have gotten the pros and cons ready for quick analysis. I got the connection installed this Sunday (much to the dislike of my neighbours), and it hasnt had significant downtime since then.

Pros :

• Good Speeds, they deliver what they promise and a little extra.
• No hassles of wires and wirecuts.

These are the only 2 pros I can think of over a normal DSL connection, the list of cons is much longer, but these cons are very specific. I am still using the connection inspite of all these cons since they dont affect me a lot (except for the 1st con). Really hope the antenna doesn’t ever need service.

Cons :

• You need to have access to your roof,  installing the antenna can be a sour experience if you have un co-operative neighbours.
• The connection goes down just like that for 1-2 minutes every now and then.
• There is a stupid login page which normal Tata DSL login did not have. Prepaid users are forced to have this login page since they cant get a static IP for free. Idiots have the audacity to ask me to spend Rs. 2000 extra for removing the login page. Also the connection just logs itself out for no reason.
• Pathetic customer support especially from billing department. The engineers who visit your place are usually good enough.
• No port forwarding without Static IP.