Here is some information on this weeks hacking activities, that have affected arbi.se and related websites.
On Thursday 10th of November the Arbisec.com blog was compromised in a way that all links caused a redirect to a russian malware site. The blog was built on WordPress, and the first assumption was that a bug in WP or WP-plugin was used to inject or modify PHP code. After some assistance from the Hostgator support (super support!) we realized that the attack vector was actually in the Zenphoto installation used at lofvenphotos.com.
It can be considered natural that an IT security blog will sooner or later be attacked. I take this as a recognition that Arbisec is actually recognized as player in the security field.
After carefully balancing the damage level against the content and traffic on the Arbisec blog, I decided to completely remove the blog. Defeat? No, it's a blog. Arbisec tools require far more than PHP exploits to be affected.
Since lofvenphotos.com was running a vulnerable Zenphoto installation, I also decided to kill that website.
This hack lead to the removal of two websites. We also got a notification from Google that bloggrejta.se was treated as malicious. As this website is designed and programmed by myself from the ground up, it took me five minutes to realize that bloggrejta.se was not compromised. So, why did Google react? Possible reasons are:
- Using the same host as the hacked photo site
- Linking to other malicious websites (bloggrejta.se is a Swedish blog rating site, and has a lot of links)
After checking bloggrejta.se I asked Google for a review, and they decided to remove the warnings. All of you who use Google Chrome or use to visit bloggrejta.se and arbi.se recieved warnings of malicious content, but that should not be the case now. The reason for warning about arbi.se was simply because we link to bloggrejta.se on every page here.
We will continue to monitor activity, and work with Hostgator and Google if problems arise.