Folks,
Now that we've been able to completely understand what occurred, we're now in a position to clearly communicate what happened with the malicious site warnings that were presented by Google and numerous anti-virus software programs.
First, yes, we were hacked in a concentrated effort by spammers in Russia to infect the site with malware. And they were good... very good.
What happened:
A hacker was able to upload a script that allowed him to compromise some of our Javascript source files, which redirected some browsers to remote sites that attempted to deliver malware to vistors to RadioReference.com. The point of entry was our internal trouble ticketing system which had not been upgraded in a while and had a vulnerability which allowed the malicious upload. They also uploaded a back door in a separate part of the site to allow them to continue to try to infect the site whenever we cleaned up the offending code.
When this occurred, Google noticed the problem, sounded the alert to Web visitors, and blacklisted our site for approximately 18 hours after we cleaned up the initial problem. We initially thought we had cleaned the site of the malware, however the hackers were able to use the 2nd backdoor they installed to infect the site with progressively harder to detect Javascript and configuration changes on our Web servers.
How we fixed the problem.
First, after many days of fighting with the hackers, we identified the trouble ticketing application as being the point of entry, so we took it completely offline. We then took the entire site offline to perform a forensic analysis to see the points of entry, what files were modified, and how they did it.
After that - we completely re-installed all of our Web servers, and restored all of our site code from a backup. We then audited the entire new infrastructure for any threats (there were none). We then brought the site back online.
Why we didn't initially identify what happened
Well, we didn't fully understand what happened. We initially thought that Google misidentified some of our Javascript due to the way that Google initially reported the problem to us (it looked harmless). Additionally, these guys were good. They specifically targeted RadioReference and spent a lot of time researching how our site and infrastructure was put together, which allowed them to prevent us from identifying what occurred.
With that said, I can report that the site is completely clean, the point of entry corrected, and processes in place to make sure that this never happens again. I can also report that we believe the only purpose of this hack was to spread malware to vistors - as the hackers only changed Javascript and code files to distribute the malware. Our audit indicates those were their only actions.
Thanks for everyone's patience while we resolved the issue.
Now that we've been able to completely understand what occurred, we're now in a position to clearly communicate what happened with the malicious site warnings that were presented by Google and numerous anti-virus software programs.
First, yes, we were hacked in a concentrated effort by spammers in Russia to infect the site with malware. And they were good... very good.
What happened:
A hacker was able to upload a script that allowed him to compromise some of our Javascript source files, which redirected some browsers to remote sites that attempted to deliver malware to vistors to RadioReference.com. The point of entry was our internal trouble ticketing system which had not been upgraded in a while and had a vulnerability which allowed the malicious upload. They also uploaded a back door in a separate part of the site to allow them to continue to try to infect the site whenever we cleaned up the offending code.
When this occurred, Google noticed the problem, sounded the alert to Web visitors, and blacklisted our site for approximately 18 hours after we cleaned up the initial problem. We initially thought we had cleaned the site of the malware, however the hackers were able to use the 2nd backdoor they installed to infect the site with progressively harder to detect Javascript and configuration changes on our Web servers.
How we fixed the problem.
First, after many days of fighting with the hackers, we identified the trouble ticketing application as being the point of entry, so we took it completely offline. We then took the entire site offline to perform a forensic analysis to see the points of entry, what files were modified, and how they did it.
After that - we completely re-installed all of our Web servers, and restored all of our site code from a backup. We then audited the entire new infrastructure for any threats (there were none). We then brought the site back online.
Why we didn't initially identify what happened
Well, we didn't fully understand what happened. We initially thought that Google misidentified some of our Javascript due to the way that Google initially reported the problem to us (it looked harmless). Additionally, these guys were good. They specifically targeted RadioReference and spent a lot of time researching how our site and infrastructure was put together, which allowed them to prevent us from identifying what occurred.
With that said, I can report that the site is completely clean, the point of entry corrected, and processes in place to make sure that this never happens again. I can also report that we believe the only purpose of this hack was to spread malware to vistors - as the hackers only changed Javascript and code files to distribute the malware. Our audit indicates those were their only actions.
Thanks for everyone's patience while we resolved the issue.
Last edited:
They were good, you were better. 
