Late last night I realized that the traffic for Question-Defense.com was way down for the day and thought it was related to some recent updates I had performed on the site. I spent probably an hour or so last night verifying that nothing was out of the ordinary with the site and wasn’t able to find any issues. Upon waking up this morning the traffic again was extremely low for this time of the day even on a Saturday so we started to investigate. One of the referrers that traffic had dramatically decreased for was Google so we went to Google and performed a search that we knew would return a link to Question-Defense.com. Sure enough upon clicking on the link to Google we hit the question-defense.com URL and then we were immediately redirected to finditnow.osa.pl. Below we describe the issue in more detail, provide specifics about how our site was hacked, and provide the information needed to locate and resolve the problem.
A company I work with uses Gmail to log exception emails from our Ruby on Rails application. This allows us to always capture issues with the application and keep a lengthy history of all the issues without using up disk space on the server itself. Sometimes if there is an issues on a development server that is not fixed right away we may get thousands of emails into the Gmail account that are all the same and it benefits us to clear these out from time to time since they can number over 50,000 at times. The example image below shows our Ruby on Rails application exception inbox from Gmail.