Update on malware issue

Hi everyone,

I just wanted to post another update as well as more information. The update is that the site has been reevaluated by google and given a clean bill of health so we are up and running again (yay!). If you are still seeing the warning, it is because the change in status has not propagated to your part of the web yet, but it will soon.

I’ve pieced together the order of events and wanted to clarify the steps that were taken on this end and steps that are being taken to improve our security and communication in the future. So — what happened over the past few days:

  • Apparently, sometime Sunday evening, a hacker began injecting malicious code via several servers in our host’s server bank using url’s. The hacker did not access any of Hyena Cart’s databases or information that is stored on the site. Here is a quote from our host:

    “The core issue behind the issue was due to the attack from the IP which we have blocked yesterday and it had affected multiple servers. Once we blocked that IP, no more sites were blacklisted in google. In most of the servers, issue was due to vulnerable wordpress plugins. But we haven’t find any such occurrence in hyenacart.com. Also no traces of malware injection has reported in last 24 hours http request.

    Since we haven’t find out the exact issue, we will monitor the server for next few days to see whether injection attempts occur again. As a preventive measure we have updated modsecurity to the latest version.”

  • By Monday morning, google had noticed the malware on the site and had blacklisted Hyena Cart. Tickets and facebook posts began to trickle in regarding the issue.
  • By 11:12 am, I was aware of the issue and contacted the host about it. By 11:40, they had isolated the issue and blocked the IP that was injecting the malware. At this point, the site was secure and no viruses were being installed by the site.
  • At noon, I replied to the few wall posts regarding the issue. From my computer, all issues were resolved and no warning messages were showing in my browsers.
  • For the rest of the day, I had very limited access to the internet, but monitored my email (which gets notification of facebook wall posts — usually) to ensure things were still under control. Since I did not see much activity, I assumed things were fine. This would have been the point in time to issue a broader communication to everyone about what was going on, but because 1) I knew the site was secure, 2) I didn’t realize that warnings were still being shown, and 3) I did not have the time to sit down and compose a well worded and well informed note, I did not do this. I sincerely sincerely apologize for this, but please understand that I was making the best decision I could, balancing all of the priorities I had, and based on the information I had at the time.
  • At this point, the site was safe, but google had not yet changed its status. Thus, people were still getting warnings, even though the site was secure.
  • At about 9:30pm, I was able to get back online and realized that there had been many people still unsure about whether to access the site and a *ton* of conversation I hadn’t realized was happening. I have done my best since to respond to everyone in as timely a manner as possible.
  • As of this morning, google has removed HC from its blacklist and the warning messages have been going away as this change in status propagates across the web.

For anyone who contracted the virus, it was the “Live Security Platinum” virus. Please see this page for more information.

If you would like compensation for featured time or paid time because of yesterday’s outage, please contact us at support@hyenacart.com.

Obviously, my response to the issue yesterday was not perfect. It is not a simple task, deciding when and how broadly to communicate with the group. There are multiple ways of contacting you, including direct email, this blog, and facebook. I tend to try to contact only the people who are affected and, based on what I knew on Monday morning, I tried to do just that — replying to the facebook wall posts, emails, and support tickets that had come in before noon. If I had known later in the day how widely people were being affected, I would have prioritized making a wider communication, but the lack of emails in my in-box reassured me that things were fine.

As mentioned in the quote from the host, steps have been taken to increase security on the server. As for communication, I am trying to figure out how best to manage and prioritize communications. This is my proposal:

  • Direct email — I will reserve this for what I feel are “Code Red” situations (where passwords, addresses, or other personal information stored in HC databases are at risk.)
  • Blog — I will continue to use this to update sellers on software updates and other critical information that is important for you to know. You do need to opt-in to receive emails of blog updates.
  • Facebook page — I will use this for more ‘everyday’ communications — cool products, fun tidbits. I’ll also use it for broader communication in the event of site outages.

As I’ve mentioned on the facebook page, I understand that some of you may feel the site is undersupported for your business needs. But for those of you who weigh the pros and cons and find that HC is still right for you business, I am profoundly grateful for your understanding and so happy to have you on the site. Thanks again for all your support!

14 Replies to “Update on malware issue”

  1. Thank you for the update. I would like to say though, that this blog was not a valid source of communication – it was also subject to Malware warnings when I tried to open the last email you sent.

  2. Hi Shadow — thanks – I did realize that after the fact and cross-posted to the facebook page. In future, when the site is down or inaccessible, the facebook page will be the main communication avenue.

  3. I would prefer a direct email for something like this . A quick “the site was hacked and we’re on it. I’m sorry for the inconvenience and I will get back to you just as soon as it’s safe and I have more information” would have been fine. It would give you time to work on it and work on a well thought out response like the blog post.

    I didn’t get the virus, but I could have easily gotten one if I hadn’t been warned off by chrome. IE was still letting people get to HC. If I’d gotten an email I’d have known to avoid HC.

    Anyway, my 2 cents

  4. I would also like Email notification of things like this as I don’t have a Facebook and don’t plan on getting one so anything on there would be useless to me.

  5. I also agree on the email. For ANY security or business affecting issue you should be emailing your customers. With the mobility of this customer base and the fact that like you, we are all juggling many hats, in all honesty, this should have gone out in ALL your forms of communication to get to as wide of an audience as possible. This would serve you well on multiple fronts, your direct customers ( shops) can protect themselves and their customers and the downline customers will not have a negative experience which could turn them off of HC all together affecting you and many other businesses. I think with the level of struggles HC has had that there would be the extra effort.

  6. Ok – thanks for the input everyone. Because the site was already secure, I did not choose to email everyone. But I will rethink what criteria to use to decide when to do the mass email.

  7. I accidentally deleted the email and couldn’t reply. They are actual virus attacks. Two since around 8pm cst. A couple people have posted on the Facebook page as well

  8. Karen,
    From what I’ve seen on Facebook, here, and other fora, many many of your customers are frustrated with the lack of information about what is going on. It’s not the bright flash of figurative bombs going off in the night, but the long radio silence in the darkness that scares them the most.

    I recognize that any business doesn’t want to air out its dirty laundry to the public until it absolutely has to, or until the public finds out about it first. In this case, they’ve found out about it: your web host let your site get compromised twice in less than 7 days.

    I suggest you adopt a completely open, honest and most importantly verbose policy.

    Update this blog at least daily. Update your Facebook page at least twice daily. Tweet at least 4 times daily. Prepare a canned email pointing those who ask for an email to these outlets.

    In your updates, tell your customers what you’re doing to solve their concerns, with whom you’re working to do it, and when they should expect to hear from you again.

    Honestly, from IT and PR perspectives, you’ve done a lot of things wrong this go around. But you’ve also done a lot of things right. Keep it up, and keep your paying customers coming back.

    Wish you the best,
    Keith (husband of one of those customers)

  9. I love Haulover beach and highly recommend it. One word of advice, do not leave valuable objects in the parking lot across from the beach located through the tunnel. Unfortunately my vehicle was broken into and my phone and wallet were stolen even though there was a ‘security’ guard driving around. Besides that it was a fun Tuesday, I was there two weeks ago.

Leave a Reply to Sarah Cancel reply

Your email address will not be published. Required fields are marked *