Getting Hacked: A Cautionary Tale

Posted by on Jun 5, 2016 in black hat, Information Technology, Security

If you’ve been in the IT industry for a few years, then you’ve had the wonderful experience of dealing with hackers. Whether it’s a small, simple hack into your theme to mess with your links to a larger infiltration to takeover your website, hacks are a common occurrence and one every website faces. ChocolateSEO is no different. Although we’ve been safe since our inception in 2012, our strong run was marred recently by a mid-level hack that crashed our hosting and lead to the hackers being able to verify ownership of C.SEO in Google Search Console.

There are different types of attacks, Denial of Service (DoS), PHP injection,  brute force, and many others. For us, the attack started with a PHP injection following brute force attacks on our login screen. The goal was to erase any existing content, setup aliases to spam URLs using “chocolateseo.com” and submit a faulty sitemap to Google using the ChocolateSEO’s Google Search Console account. The “fake” sitemap contained over 1,000 spam URLs and was very well formatted. Real slick there smooth…

Clever Girl…

By having the GSC setup properly, we were alerted immediately that someone had been verified as an owner of the account (using an HTML file). As no one else was recently added to the staff, this was a very red flag. Not to mention the email, ful56675@gmail.com, being unfamiliar to the team. However, scouring the site, we couldn’t find any files matching the HTML file used to verify this gmail address.

Spammer email ful56675@gmail.com

Once we finished chatting with the hosting company and pulling server logs, changing all MySQL and website passwords; our co-founder, Savannah, was able to locate this wonderful little code in our blog header PHP file.

PHP code injected to verify in GSC

In short, this cool but evil little code generates a page dynamically to match any verification page Google may request. The dark side of PHP…

Now, the issue was that when we evaluated files, the modification dates on the files hadn’t been changed recently, so our first scans missed this change in our core file. After consulting sites like, SecurityWeek and Sucuri, we needed a solution that would check the website (and our clients’ sites) against the known repository versus checking the last modification dates. The solution we chose was WordFence based on the recommendations of a few good friends of C.SEO.

The Wrapper

Everyone knows that WP and PHP have their weak points, but offer a lot of great functionality. Eventually, we all hit snags like this. Being prepared and having some type of prevention are always a necessity in the IT world. For most websites, high-level encryption, RSA tokens, and secondary-verification may be a bit of overkill. But, having strong passwords, regular backups, file version controls, and programs that block login page attacks are all easy ways to avoid issues like the one we faced this past week.

And to the blackhaters… use your powers for good. Not sure if they are really based in China, but according to Whois, they are, and they are just trying to make a yen–but there are better ways to do that then attacking little guys trying to make an honest dollar.

A. Chris TurnerAbout the Author: Chris Turner is also known as ChocolateSEO. CSEO is Chris' Nashville search marketing and consulting service offering a variety of services to help you, your company and any website maximize web-based marketing opportunities. He is the father of three girls, one boy (finally) and husband to the wonderful Savannah. Join the author's circle: Chris Turner on Google+.