F64 Academy is not Hacked
A few weeks ago I received word from Google Webmaster Tools that a few of my sites had been showing hacked content in the Google Crawler searches. My heart sunk into my chest and I immediately went into damage control mode. I lost countless hours of sleep and worked for the better half of 2 weeks trying to correct the issue. My efforts were valiant but stifled by my inability to understand the nature of the hack.
Google Webmaster Tools was reporting several subdomains of all of my sites. For those who do not know what a subdomain is, it would look like “f64academy.members.com” or “members.f64academy.com”. However, these subdomains did not look anything like a subdomain I would create. They were listed in Webmaster Tools as:
- aaee.f64acadey.com
- akdj.f64academy.com
- hjkl.f64academy.com
If you navigated to the sites, you would see spammy sales pages for cars, random listings of odd words and nothing coherent enough to be considered a web page. I consulted with Jake McCluskey as the man is like a brother to me and knows just about anything about the Web. He looked at my GoDaddy account for a few seconds and immediately spotted the issue. Remember I said I spent countless hours on this?
Jake spotted that every domain I owned had 61 DNS IP Addresses pointing to them. Typically a website should only have one, and that is called the A HOST (we discussed this in the video about making your own Adobe Portfolio Domain). Each of these A Hosts had a series of letters and numbers as their suffix, of which we noticed aaee, akdj, and hjkl.
After spotting this, we deleted the 61 fake A Hosts and magically those subdomains did not work anymore. It appeared as if someone had uploaded a DNS Zone File to my GoDaddy Account that embedded 61 fake A Host IP addresses to all 30 of the domains I own. It took quite a bit of time to clean up as there is no quick “dump file” for the DNS Zone files of all 30 domains.
After deleting them all, I went into Webmaster tools and notified Google that all Hacked content had been removed. After a few days, they responded telling me that the sites were verified as not being hacked and that they would remove the Hacked tag you see in searches.
How did the hacked content get in there?
Interesting question. I was furious when I talked to GoDaddy about how this could be possible. They reassured me that it was not a leak on their end and after digging deeper they found the following information:
- The hacked DNS Zone File was linked to Google and imported through Google Webmaster Tools [linking GoDaddy to Webmaster Tools (WMT) is a way for WMT to see your sites and index their sitemaps]
- The company behind it was Lease Web USA, out of Manassas Virginia, whom I am still trying to find an answer
The takeaway and lessons learned:
As you know I always want to be as open and transparent with you as possible. I wanted to alert you all of the situation sooner, but my results were inconclusive until recently. Right now I am working through the issue and will not stop until it is resolved for your sake and mine. You have no idea how violated I feel right now. It is almost like identity theft, it makes me sick to my stomach. I want to reassure you of a couple of things that you can read below.
- The site is in good condition right now regardless of the search tag saying it is still hacked. I have to wait for Google to index the site again for that to go away, and this takes time.
- Because this targeted my entire GoDaddy account all of my sites are in limbo awaiting the removal of the false Hacked tag, again I am waiting on Google to index the sites again.
- Your information is safe here when you make purchases. I do not hang on to any customer information on any of my sites. I use PayPal for a reason because PayPal handles all of the transactions I do not have any of your vital information saved on my sites. That is all handled through PayPal.
- I have since installed SiteLock and a plugin called WordFence to ensure the content on f64Academy and HDR Insider is safe to view. All of my searches of the sites have come up negative for Malware, SPAM, and SQL Injections.
- Hackers use this form of content injection to use your site as a host for their parasite. They are essentially targeting sites that have excellent site ranking and piggy backing off of them to get their hacked content ranked in Google.
Blake, Wordfence is a good plugin, you may also consider using WP Security to identify any potential weaknesses and also iQ Block Country – it’s name speaks for itself.
Thanks, Steve. I wish this is something that could have been blocked on my end through the site. However, this was all through Webmaster Tools and completely out of my control :/