On Christmas Day 2009 our database powered websites fell victim to an attack which turned our websites into an advertising vehicle for a malware security system which hackers were trying to sell. In a very large push which as it seems now had been going on for weeks, the hackers had used a method called SQL injection to insert their problematic code into our database tables in every record where large amounts of data were stored. However, these people rendered this code inoperable untill Christmas Day Morning 2009 to "flip the switch" and activate the inserted code.
What their code did was hijack your browser (unless you were using firefox or possibly newer versions of IE) and open up a framed image of a computer scanning your drives and finding all kinds of fake viruses because it wouldn't be actually scanning your drives. It would just show an animated picture of that. So if you were on a mac, you'd see a windows like os scanning window trying to trick you into buying their software.
If you had actually fallen for their trick, you'd be installing further damaging software that would give control of your system to a hacker somewhere out on the internet.
This symtom is after a month long (or longer) attack on more than 300,000 database systems including our own, which when the switch was flipped turned our websites into an attack method on normal computer users which would turn the visitors of our websites into the ultimate victims.
To combat this problem we proceeded to TURN OFF ALL OUR WEBSITES for the remainder of Christmas Day as well as the 26th of December till about 5:00pm to keep our customers safe and to stop the further spread of this hacker problem. During that time I had been searching for not only a solution to clean the unwanted code but a solution to keep them from entering again.
We believe that we've found the loop hole that let them into our system, hardened our security, and then proceeded to remove all traces of the attack from our system.
So in a nutshell, we had all our sites and that of our customers as well completely shut down from 10:30 am Christmas Day to 5:00pm December 26th to prevent the spread of the attack.
I'd like to extend my deepest thanks to Jeff Knapp from Jephens Technology in New Jersey for first posting yesterday morning (Dec.26th 2009) a fix would work for some variations of the attack. It was that solution which led to Jeff coming up with a new solution to clean the databases in our system. He was such an incredible guy and was so willing to help me in my time of crisis. All other solutions I came up with as well as many others I'd found could only clean the un-wanted data from smaller database fields. After we put our two heads together, we were able to come up with a solution which is not only very powerful, but also very flexible and fast at cleaning up the mess left by the hackers. Because of Jeff, our system is now clean and safe to allow our customers to come back to our web sites and surf them.
