What Happened
February 3rd, 2010
Hi everyone.
So, this morning I woke up to find that abominable.cc had been hacked. I’m currently working on a fix, so please bear with me. Today’s comic is finished and I’d like nothing more than to present it to you before the day is out.
Fingers crossed…
UPDATE: Now that I’ve moved to a new host and rebuilt the site, all traces of the hack are gone. I apologize to everyone who was affected and I’ll leave this post here in case anyone has information to share regarding fixes.
February 3rd, 2010 at 11:34 am
That is terrible! Hope no serious damage was done.
February 3rd, 2010 at 11:41 am
Ick. Well, good to see things back up and running quickly. I’m not a stranger to being hacked either, it’s never fun, but with backups at least recovery is quick and relatively painless.
Love the comic too, I used to have some serious anxiety, but at least I was never this bad :D
February 3rd, 2010 at 11:44 am
Hello,
I checked this webcomic this morning as my morning routine and found that the abominable.cc address redirected to another page. Then, all of my other pages were shut.
Think there is a serious threat here? None of my virus software went off but I just want to hear from the sauce of the problem.
February 3rd, 2010 at 1:32 pm
FYI, at 10:30 am PST the site is trying to force a download of an “application/pdf” document. Since I have Firefox set to ask what to do with a .PDF it couldn’t open the file, but it made 20 attempts to do so.
February 3rd, 2010 at 1:37 pm
I am also getting the forced download of an “application/pdf” and my anti-virus program is identifying it as a trojan.
February 3rd, 2010 at 1:37 pm
Right, and “http://www.ssdfsdfwefwefwe.com/\{gzip}” is the name
February 3rd, 2010 at 1:53 pm
Wow. I’m having a hard time figure out why you would be the target of a hack.
Whoever’s behind it obviously has some issues. Hope the full recovery won’t be too painful.
February 3rd, 2010 at 3:04 pm
I think that this site was re-directed to a site you can read about here (taken from Norton)
http://safeweb.norton.com/report/show?url=ssdfsdfwefwefwe&x=0&y=0
It may be a little lacking but still better than nothing. Looks like the server is located in the Netherlands.
I myself use Firefox + NoScript and was extremely surprised to find that this site wasn´t working.
February 3rd, 2010 at 3:31 pm
I’m sorry that you had to go through the bother Karl! Hope things are easily resolved. Personally, I suspect Sissi.
February 3rd, 2010 at 6:03 pm
Hey all! I think I’ve removed all of the offending code and things seem to be back to normal. Hopefully none of you were affected by whatever trojan this thing was trying to send you.
I also urge everyone using Internet Explorer to please switch to Firefox, Safari or Google Chrome for your own safety.
Hopefully we’ve seen the last of this!
-karl
February 3rd, 2010 at 9:00 pm
Or Opera. ;)
It’s a good browser… :p
February 3rd, 2010 at 9:49 pm
I’m seeing a pattern here…
Abominable, interestingly enough, is not the only webcomic I know of that’s getting the hackers. League of Evil Genius suffered a severe security breach and the author lost most of his comics and had to manually back them all back up just before Christmas.
Coincidence?
February 4th, 2010 at 12:41 am
Good stuff bringing everything back up, I personally didn’t see the harm.
Think of it this way though, if you were hacked you’re pretty popular (That’s how I thought about it when my manga fansite got hacked (I was like 15 :D 9 years ago )
February 4th, 2010 at 1:18 am
Hi Karl,
I have had the exact hack yesterday on my blog. Can you let me know what happened? I am not able to find out where this iframe code is which is trying to download from two websites that is mentioned above. However, I am able to find it just below my Google analytics code.. any help would be very helpful..
February 4th, 2010 at 1:52 am
There’s an increase of hacking recently – do your best to secure the rest of the sites =\
February 4th, 2010 at 2:28 am
Let us know who dared to do this dastardly deed and we shall expunge them.
February 4th, 2010 at 5:38 am
Who hacks THIS website? Really?!?!? I must be so very old to remember when hacking meant something… you hacked AIG or Goldman Sachs, or the some official type place. You don’t hack a damn artist website with art just sitting here actually making the a better place inherently by its high comedy and high art. Thats just pitiful. Damn illiterate script kiddies! No respect!
February 4th, 2010 at 5:38 am
*making the web a better place
February 4th, 2010 at 11:04 am
yah, I wondered why my school’s antivirus blocked it yesterday, I was like, omg, no!
February 4th, 2010 at 1:04 pm
The hacker should be covered in honey and left for ants and skunks to torment. the hacker needs to consult the cockroach psychiatrist. Covered with mud and tied to the crow tree …
February 4th, 2010 at 6:05 pm
I was hit by this [from your site] (in Firefox no less, since it went through a pdf vulnerability). It installed the rogue software “internet security 2010″, which promptly locked down the task manager, command prompt, and registry editor, and then started showing fake virus alert pop ups to try to get me to pay for it. Ironically my actual antivirus, Symantec, didn’t notice anything. I had to boot into linux from a live cd to mount the drive and manually delete the trojan’s files, and then fix the registry.
Basically, I’m technically competent, and this took me several hours to fix. The people who were hit by this yesterday and don’t know how to do this stuff are probably still screwed.
(Also, I’m writing this post from within a virtual machine; I’m not dumb enough to spend hours fixing my computer and then come right back to the place that broke it without some serious protection)
February 5th, 2010 at 1:26 pm
WordPress has some interesting (known) vulnerabilities. You should always check Secunia regularly. http://secunia.com/advisories/product/6745/?task=advisories
Glargh, “Internet Security 20XX” trojans are nasty. Never, ever assume you can remove any virus/trojan/etc from the infected O.S. Always boot to a known-good device (Linux CD, UBCD4Win, etc, etc.)
February 5th, 2010 at 2:47 pm
The hack was a script of some sort that added a bunch of code to every pHp file in my Wordpress installation, including all of the themes and plugins.
I manually removed the added code (it all started with a chunk of pHp code that included the term ‘eval64′) and did a complete reinstall of Wordpress.
I found out from one of the Comicpress authors that exporting your blog via the Wordpress ‘Tools’ menu will NOT carry with it any files that might be infected. So you can reimport your database entries into a new installation without worry. Just watch out for any infected themes or plugins!
I hope none of you were infected too badly by this thing and I apologize for any hassle or lost time it may have caused.
-karl
February 6th, 2010 at 5:05 am
Glad to see the site back up and running! *phew!*
February 6th, 2010 at 7:02 pm
I got hit by the thing also, apparently from here; several less-drastic measures failed, but reinstalling WinXP completely over itself got rid of it, it seems. Sorry this happened to your website!
–Dave
February 7th, 2010 at 12:05 pm
See, it’s safer to subscribe through RSS feeds… that way I’m shielded from any nasty surprises like this… :)
February 7th, 2010 at 6:29 pm
Eek, I’m glad I didn’t visit during that timeframe, or I’d probably be rather screwed over right now!
February 8th, 2010 at 8:58 am
T-T I was hit with the virus from this site.. it did everything to me that Glargh said. Only >_< I am not technologically competent. I f****ing had to crash my computer and I've lost everything, all my music and pictures. *sigh* -_-;
It's alright. It's not your fault, Karl. It's a shame that someone would do something despicable like that.
At least I now completely understand what happened exactly. I was like "WTF did I do wrong?!!" My computer is '07 and I've never had a virus before.
February 8th, 2010 at 1:05 pm
Ugh. I’m so sorry about this, guys.
I’ve locked everything down as best I can now, an I’m moving to a new host soon, with a new installation of Wordpress, so I should be free of any possible viral remnants.
So far, things seem okay now. If any of you still get reports of malware from this site, please let me know!
February 8th, 2010 at 5:57 pm
Why would anyone even bother to hack cool webcomics like these? Jealousy?
February 8th, 2010 at 6:42 pm
Just pissed me off. Staples wanted $150 for viral removal but I lose my programs while Best Buy wanted fuggin’ $200 to keep everything. *Rolls eyes* I told them to kiss my @$$ and just dumped my computer. I keep my money.
February 9th, 2010 at 8:37 am
I’ve encountered this virus numerous times before while cleaning out PCs. If you can access another PC, download and install MalwareBytes onto a flash drive. As long as the virus hasn’t gone through your system (by means of you clicking on things), you should be able to run the program and safely remove the files from your system. If you google this particular virus you’ll find tons of info on it and more detailed instructions on how to rid yourself of it.
February 9th, 2010 at 4:56 pm
But I’m still not exactly sure what the name of the virus is or how you normally find the name of a virus. Care to share with us, Eric? I’m interested so that I can prevent something similar to this happening to me in the future.
February 10th, 2010 at 2:44 am
Hey guys,
I don’t think this hack was exclusive to Karl’s site, nor to webcomics in general… I got a notice from my host (Media Temple) a few weeks ago that they were aware of an exploit of WordPress’ php files that sounds awfully similar to what happened here.
It sucks lunchbags, but I guess it’s part of the price of teh interwebz.
Karl > love the comic, as usual!
February 11th, 2010 at 2:07 am
Karl, what was the vulnerability in WordPress that let them get in? None of the unpatched vulnerabilities I see on the Secunia site look like they would let someone take over like that, and there haven’t been any security patches since WordPress 2.9 was released (2.9.1 didn’t contain any security fixes that I know about). Or were you running a version older than 2.9? I’m managing several WordPress sites so I would really like to know if there’s something I need to be doing besides just staying up to date with the latest version.
February 11th, 2010 at 1:46 pm
That is so stupid, I know how you feel, my site was hacked several years ago and hosts blamed me telling that it was me who gave the access to a random user. So well the funny troll wrote a message on my index and deleted all my content, and my hosts didn’t accept responsability.
Now I’ve changed hosts and I had no troubles with hacking ever since then.
I hope you’re able to restore your site. *thumbs up*
February 13th, 2010 at 1:09 am
Cor, who hacks our beloved Charles Christopher!?!!? I need to find them and hit them with a board.
I feel really bad for everyone who got zapped. That sucks, and I hope you get your stuff back. Thanks, Karl, for jumping on it as quickly as you did.
February 17th, 2010 at 4:54 pm
you’re going to make me cry!
February 17th, 2010 at 6:43 pm
Phow, thanks god I was offline yesterday! This drive-by infections are one of the worst things which happens to the internet! Here’s an advice for all windows user: Never ever use an account witht administrator rights for your daily routine, use a restricted one! And a hint for Firefox users: Install the “NoScript” add-on. It blocks scripts unless you allow them.
February 18th, 2010 at 2:17 am
The Robots have taken me. Please send help.
February 24th, 2010 at 1:19 pm
The link to Finnish translation dosen’t seem to work… It leads to a another site.
February 24th, 2010 at 1:36 pm
Thanks, FinnishReader. Fixed!