There was some good news: The developer had given the passwords to the marketing person, who even knew where they were and passed them on to me. At this point, the higher-ups were begging IT to rectify the issue, given that nobody could really access our site without getting infected with Trojans.
Upon logging in, I was horrified when I verified that even though the marketing person had kept the content current, the back end hadn't received even one update in two years!
Two years is an eternity on the Web
The first thing I thought of was to restore a recent copy of the website, but I was again horrified when I found that the most recent backup was the initial one the Web developer had done a couple of years ago.
Next I checked to see if there was actual malware hosted on our website. There wasn't any, so the main problem seemed to be scripts that were directing our visitors to malware sites. Why ISPs don't shut down such sites, I don't know — but that's beside the point.
It took me quite a few hours to look at the scripts, the .htaccess file, hidden iframes, and the rest to try to get rid of the malicious scripts. As a precaution, I changed all the passwords on the site and scanned the marketing person's computer for malware — fortunately, I didn't find anything. After everything looked OK, I made a backup of the site and put in a request to Google that we be removed from the blacklist.
So much for not involving IT.
The higher-ups had been too cheap to pay for maintaining the back end of the site — why spend money to update when everything is working? But the mess showed them they couldn't just leave things alone. Though the Web developer had called it a day the second after he finished setting up the site, at least the Web hosting provider offered a yearly service to perform maintenance on the back end, which the higher-ups signed up for. Baby steps, I guess.
I wonder how much of a hit our company's reputation took from the experience. My guess is that in itself cost way more than what they were trying to save.
Sign up for CIO Asia eNewsletters.