No, it’s not safe.
No matter how much money the powers-that-be put into making the internet seem like a sunny day in the park, the internet is the technological and societal equivalent of a dark alley. From the thugs working out of mom’s basement who are trying to steal your bank account login info, to the thugs at Facebook opting you in to efforts to track, exploit and sell your every click — and intentionally making it impossible for you to opt out — there is no safe place to be on the world wide web.
I say this in the aftermath of a frustrating three days in which malicious code was repeatedly injected into my web site, causing Google to (understandably) flag my site as dangerous, thereby locking me and others out when trying to access the site via many of the more up-to-date browsers. (Google’s idea is a good one, but the implementation needs work.)
Attacks like this are so commonplace as to be normal. They are also hard to detect and hard to prevent. To the extent that I had to bash my head a bit to figure out what was going on, I cannot imagine what the average writer-turned-blogger would have done in the same situation. While these sorts of things do not rise to the level of programming or hacking, they are still complex problems with multiple possible causes.
To see what I mean, take a moment to skim through this document, which I was directed to by several sources for information on identifying and preventing malicious code injections. It’s a good, comprehensive overview of steps you can take — which, in sum, make it frighteningly clear that you have almost no chance of making your site immune to such abuse.
Not only can code be hidden almost anywhere in your site files, it can be disguised in a number of ways. If you don’t know this, and don’t know how to search for such hidden code — including unpacking javascript code — you stand zero chance of finding the source of your problem. Even professionals struggle with this sort of challenge, and are often reduce to reloading the site from scratch or doing a line-by-line check to make sure everything is as it should be — assuming they actually know how it should be.
After cleaning out my files once, the malicious code was injected a second and third times. I reported the issue via an online form to my site host, and received a helpful email that they would be resetting my FTP login info in order to prevent future attacks.
What I did not learn until the next day, and what my site host never broadcast in an email that could easily have been sent, was that the malicious code injections were part of a massive, company-wide attack that had been going on for three days. Only when I searched for news items myself did I discover that there were many reports about the breadth of the attack. Examples here, here, here and here.
The good news was that I was not alone, and not being singled out. To the extent that my site host was getting creamed, they are also one of the largest hosting providers, and I knew that they would be sparing no expense and effort to plug the hole. Having already petitioned Google for a review of the site, I simply maintained vigilance and deleted the code the next time it was injected. Shortly after that Google released my site from its search warnings, and the next day my site host declared the problem solved.
In the aftermath, the only thing that really surprised me was that neither Google nor my site host could connect me with the abundance of available public information about these widespread attacks. I understand that they can’t do so on a site-by-site basis, but even a simple suggestion that I check for news reports about similar problems would have saved me a bit of aggravation. (Isn’t it amazing that even the most connected tech companies still have routine difficulty integrating themselves into a real-time information flow?)
If there’s a silver lining in all this, it’s that I ran across an image glitch in Internet Explorer, which prompted me to go back and fix a CSS hack that I’d added late last year. It’s something I should have caught earlier, but it’s also a reminder that site visitors will rarely give you a heads-up if your site is not functioning correctly. (The fatal flaw of crowd-sourcing is that you often have to motivate the crowd.)
To the extent that you might have been prevented from accessing the site, or might have concerns about your exposure to malicious code on this site, I apologize for the inconvenience and frustration. I do not believe anyone visiting this site is or was at risk, and I believe the problem has been solved. At least until next time.
— Mark Barrett
Good to know and welcome back Mark.
I wouldn’t wish that experience on a dog.
Woof.