Note: This post has been recreating after restoring my site from backup.
This morning, I woke up to a message from Google. Normally I’m very hesitant to open or click these. So I checked the full message headers (View > Message > All Headers), copy pasted the URL it was asking me to click into TextEdit, and looked at it letter by letter. It appeared legit. Someone had added themselves as a new owner for my website:
I went ahead and manually visited https://www.google.com/webmasters/tools/user-admin, selected my account, and sure enough there was a new “owner” listed as of today. To unverify the hacker, I had to go to my website and remove the Google-specific verification file from my system:
I did that. They could just have as easily unverified me the same way.
I should point out that I not only use four-word passwords but each four-word password has additional strings of numbers and symbols following or interspersed within it. I’m not sure how my security was compromised but it was. I have of course updated my password for the site.
Next, I tried to get in to start finding files modified within the timeframe of the hack. And then, I immediately discovered that Apple has removed telnet from macOS 10.13. (update: turns out I was thinking of the wrong tool. I needed ssh, which I later used to go in to a command line.) So I went in instead using CyberDuck, an ftp client. It wasn’t nearly as easy to track through many hundreds (thousands?) of files as it would have been at the command line but I think I got ?most? of the problem fixed.
What I found was an incomprehensible “consig.php” file, about 500 image files — each one about 4-8 bytes in size, and masses of items added to sitemap files.
If you’ve had experience with this kind of hack, I would greatly appreciate any additional advice you have. Thanks in advance.
Here’s Google’s help page about when you don’t recognize a new owner: https://support.google.com/webmasters/answer/7281924