Posted on Mar 31, 2010 | 0 comments

Around 11:30 PM last night, the Only at Tech team became aware of malicious code that was being served through our website. It does NOT appear that this code downloaded any sort of malware to our users’ computers (our virus scans have turned up negative), but we have reason for concern because one of the affected files contained the login information for the site’s database. This means the attacker(s) could have gained access to a list of our registered users’ email addresses and hashed passwords.

The offending code has been removed. We believe this was an automated attack, and in most cases the attackers do not do anything with the users’ data. It was likely targeted at multiple sites running the same backend as Only at Tech. That doesn’t mean you should be careless if you use your Only at Tech password on other sites with sensitive data. To be on the safe side, we would recommend you change your passwords on Only at Tech and any other sites where you use the same email/password combination.

We apologize for our failure to secure your information on our side, and for any inconvenience this causes you. We’re currently in the process of upgrading to a more secure backend as part of a major site update, but in the meantime, we’ve taken some precautions to prevent this from happening again.

Technical details on the attack are below for those of you who are interested. This is Tech, after all.

Only at Tech as it appeared on Google. We love "Dancing with the Stars" as much as anyone, but…

Around 11:30 PM, routine social media monitoring of the “Only at Tech” phrase revealed an oddity in the Google search results page.  Instead of the usual Google snippet of the homepage, we encountered a link to a spammy pdf file.  Further research revealed that our site returned an HTTP 302 redirect to a randomly generated URL, but only when accessing the site with a Google user agent string.

We discovered that malicious code had been inserted into two of our files — a config file and an include file.  Both of these files contained JavaScript code of the following form:


This structure is commonly used in by malware authors to obfuscate malicious code.  Decoding the base64 string resulted in the following JavaScript file:

Reading the JavaScript confirms the evidence we had first encountered with the 302 redirect when using a Google user agent.  And more specifically, user agent strings that contain one of “google”, “Googlebot”, “slurp”, or “msnbot” were redirected to spammy/malicious pdfs.  These user agent strings are those that are used by the webcrawlers of Google, Yahoo, and MSN/Bing respectively.  The malicious JavaScript also revealed the details of how the randomized URLs were constructed.  In short, they are randomly assembled from a shortlist of prefixes and suffixes found in files on a server identified only by its IP address.

Investigating the IP address using standard online DNS tools and WHOIS queries, we found that the server was registered to a user located in Luxembourg and hosted in the same country.

Searching the Internet for some of the code snippets found in the JavaScript file, it turns out that the code is commonly available on the underground malware market.  We found discussions of the code in forums ranging from Brazil to Belize, as well as links to other compromised sites.

Though finding traces of the attack spread across the world may seem particularly frightening, this is no different than any other malicious break-in.  It is common practice among the hacker community to spread traces across the Internet, because it provides redundancy and makes tracking down the original source more difficult.

We are continuing to investigate the origins of the attack and taking appropriate precautions.  These are the steps we have taken to prevent this from occurring again:

  • permanently disabled FTP access to our webspace
  • replaced all passwords with 32+ character passwords containing over 176 bits of entropy and all character classes
  • set all files to read-only with minimal permissions
  • ensured all software is fully patched

By 1 AM, malicious code was identified and removed, and the above precautions had been taken. The Only at Tech team is doing their best to continue to handle the situation appropriately.  If you have any concerns, suggestions, or questions please contact us at [email protected].

– Andrew Ash, Programmer
– Holden Link, Designer