How is this even possible?

McG explains his most recent online change:

I’ve never heard of a hacker inserting malicious code on a purely static web page. Maybe it’s happened, but I’d have a hard time imagining it could do him any good.

It’s happened here, once, to one of the old Movable Type pages that were left in a static state after the fall of 2006. What happened: someone weaseled in through some unknown method (FTP?) and pasted a bunch of spam links at the bottom of the page. I didn’t notice it for some time; all I know is it happened between May 2015 and October 2016. Eventually I deleted the whole page and pasted the actual content into a WordPress post. (With the original comments, yes.)


  1. McGehee »

    26 October 2017 · 7:43 am

    Well, now I know. Still, unless they somehow managed to direct additional SEO mojo to that particular page, I’m mystified as to what the benefit could have been to the perpetrators, other than as a proof of concept.

    If it were to happen on my site, I’d be able to know because of the auto-upload/download system — the only activity on there should be my own.

  2. CGHill »

    26 October 2017 · 7:44 am

    One advantage of your setup, clearly.

  3. McGehee »

    26 October 2017 · 9:37 am

    Plus, FastMail requires app-specific passwords, and all such logins that get created on my account appear on my dashboard.

  4. fillyjonk »

    26 October 2017 · 12:41 pm

    I was wondering what McGehee was wondering: what possible good is it to the perpetrators? Every time I delete a would-be comment containing nothing but spam, I go “Guys? Like, 20 people read this blog. It’s NOT gonna help you, stop trying.”

    I suppose the answer is it’s cheap and bot-driven, so it effectively costs nothing, so ANY chance someone is more likely to visit that particular “Canadian pharmacy” or whatever is a benefit.

    Faugh. The things we have to put up with in the modern world.

  5. Holly Hunter »

    27 October 2017 · 9:46 am

    Speaking of this, I’m seeking advice: does anybody know why I should NOT freeze my credit at all three credit agencies? There’s some debate about just doing fraud alerts instead, but I think it’s worth it to go ahead and freeze it, considering how much personal data the thieves took?

  6. fillyjonk »

    27 October 2017 · 10:40 am

    It costs money (and time) to unfreeze it, like if you needed financing for a car.

    I have a fraud watch on mine, will probably see about renewing it at the end of the 3 months. Though I suspect at this point, for everyone, the personal-information horses are so far out of the barn they’ve already drowned in the ocean, or some other mixed metaphor.

RSS feed for comments on this post