If you visited SF Signal over the weekend, it was likely that you were greeted with a malware warning. Our apologies for that. Our site was hacked.

Things are back to normal now, but I wanted to let folks know what happened since many were asking questions.

The Problem

Over the past couple of weeks, a bot was periodically gaining access to our website and modifying 3 files that were included in every single web page on the site. What they would do was add an HTML IFRAME into those files which caused any web browser used to visit SF Signal to load a (hidden) web page from a website set up to distribute malware. (Every time we were targeted, a different malware site was used.) When the attack happened, it was obvious and easily remedied, but that just fixed the symptom, not the cause.

Throughout the attacks, I’ve been working with the web host to find the root cause and remedy the situation. The attack vector was ultimately found to be a weak password that allowed back end access to our server. Once access was gained, inserting the HTML into that small set of files was trivial, done automatically by the attack bot.

The most recent attack happened early Saturday evening. Google detected that injection of HTML and thus red-flagged SF Signal as containing malware. To be clear, there was no malware residing on our servers, just a pointer in our HTML to a site that had malware residing on those servers.

The Fix

Saturday evening was when the security hole was finally found. Once it was learned how access was gained, the fix was easy. The weak password and all other passwords have since been changed and, more importantly, strengthened. This should prevent further access and further HTML injections.

Unfortunately, even though the injected HTML was scrubbed away, Google had already red-flagged SF Signal as containing malware. Anyone attempting to access SF Signal (with at least the Chrome and Firefox browsers) after the flag was raised on Saturday evening would have seen the warning. It was just a matter of asking Google to review the site again and wait for them to drop their red flag, a process that could take up to 24 hours. The all-clear happened Sunday afternoon and now SF Signal is no longer being flagged as a malware site.

The Aftermath

Hopefully, nobody who visited us was affected by this. In either case, you have my apologies for any trouble and inconvenience.

Filed under: Meta

Like this post? Subscribe to my RSS feed and get loads more!