Today a post from Magneto Bold Too IT support. A little public service announcement about how to conquer arsehats that come in, make themselves at home and shit all over your metaphorical carpet.
Yesterday morning I got a message from one of my Facebook lovelies saying that my blog was coming up as a suspected malware site. To me everything looked fine, except that my Dashboard was all screwy but I just put that down to NOT UPDATING WORDPRESS YET (*slaps head and then bashes it on the keyboard for good measure*). I hollered out to my Twitter peeps asking if anyone else had any problems and everyone was all ‘nup, looks good to me!’ and were probably secretly thinking I was trying to up my stats or ad hits or something…
Anyway, one person was all ‘you have been hacked girl, check your source code’.
Oh. My. Freaking. GOD!
HUNDREDS of links to unsavoury {unlike this here wholesome blog *snort*} sites were at the end of the source code.
*insert freak out of EPIC proportions and caffeine IV drip*
After TWELVE HOURS of work and many tears of frustration {and episodes of The Big Bang Theory and then the Matrix while waiting for downloads} we were rid of those uninvited visitors.
And you can be too.
Over to you, MB2 support…
*CAVEAT #1* This is mucho geeky – read carefully, take big breaths, have coffee. It’s not rocket science. Yet.
*CAVEAT #2″ Don’t log into your WordPress admin area. Because the site’s been compromised, don’t trust the WordPress built in scripts. We’re doing a lot of this by hand, until we’re pretty sure we’re safe to login and modify stuff automatically.
Overview:
0. Backup
1. Modify Infected files
2. Update WordPress
3. Change Passwords
Requirements:
FTP Client (FireFTP Plugin for Firefox will do. Use the Terminal or CLI if you’re brave and crazy)
Your sites FTP location, username and password. If you don’t know, talk to your admin, pass this job onto the person who set your blog up, or find a friendly 13 year old l33t h4ckz0r.
A Text Editor (Notepad (Win), TextEdit (Mac), whatever came with your OS).
*RECOMMENDATION* Firefox 3.5 (or greater) and the NoScript plugin. Freakin awe … wait for it … some.
Procedure:
0. Backup
You do this regularly, right? Right. Me too. Every 3rd leap year. *sigh*
a) On your local computer, create a folder with a name that reflects what it is. E.g: BackupBlog-Nov-2009
b) Open your FTP client.
c) Enter your site details – site, username & password.
d) Somewhere in the preferences, you will have to turn on the ability to see hidden files (FYI files that start with a ‘.’ (period, dot, full stop …) are hidden by FTP sites and most operating systems. We want to see them so we can fix them).
e) Copy everything from your site to that folder you created, so that it looks identical – the same file structure, same folder names, same every freakin’ thing. Compare and check you have it all.
f) Vow to yourself that you will do this regularly.
g) Really mean it this time.
Some sites suggest logging in and backing up your database, or exporting your postings. Problem is, your infected blog’s scripts can’t be trusted. Bugger.
1. Modify Infected files
The best sites for advice are here <http://www.kyle-brady.com/2009/11/07/wordpress-mediatemple-and-an-injection-attack/> and <http://www.techyshell.com/internet/how-to-remove-iframe-trojan/>. Read them first (but do *nothing* – just take it in) then come back. It’s O.K., I’ll wait …
… Right. Welcome back. To reiterate, we’re looking for files named:
.htaccess (these are invisible (like that cloak in the Harry Potter movie …), so set your FTP client to see hidden files)
index.php in root folder
wp-config.php in root folder
index.php in wp-admin folder
index.php in wp-contents\yourtheme\ folder
default-filters.php in wp-includes folder
any file starting with ‘PE’ , followed by gibberish numbers and ending with ‘.php’
We can’t just delete them – we need to download (to your computer), examine, edit and save back (to your site) if necessary. Some we will delete. And we will enjoy doing it too.
I looked and found copies of these files in many folders. Go through each carefully and meticulously.
When you find one:
i) Download it to your computer (I created a folder on my desktop just for this purpose).
ii) Make a copy of the file and rename it. eg: I renamed index.php to index-bad.php (this is so if you fark it up badly, you can always go back to the copy and compare).
iii) Open the file with your text editor.
iv) Examine, then edit and save or delete depending on what’s in there:
a) If a file (any ‘index.php’ or ‘wp-content.php’) contains something similar to this code:
<?php eval(base64_decode(“JGw9Imh0″ … a long string of nasty bullshit … “BAJHI7DQo=”)); ?>
delete from “<?php eval(” to “”); ?”. Be careful, as there may be many instances of stuff between similar characters. What we want to delete is one whole block of (puss-ridden) code.
Once you’ve cleaned it – save it back to your site.
b) if a file (normally ‘.htaccess’) contains something like:
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://you-search.in/in.cgi?4¶meter=sf [R,L]
delete from ‘RewriteEngine On’ to the last line in the block. Again, be careful, there may be ‘legitimate’ code in there with similar commands. This is in one big (steaming shitty) block, with a list of search engines and sites.
Remember – your ‘infection’ may not look identical to the text above. Use your common sense. It’s a list of search engines and sites.
Once you’ve cleaned it – save it back to your site.
If the .htaccess file contains *only* that pattern of code – you can nuke it! Yep, delete the son-of-a-bitch from your site. Pew Pew Pew. Take that – mothafarker!
Feels good, doesn’t it? This is a long campaign, you have to celebrate where you can …
c) any file starting with ‘PE’ , followed by gibberish numbers and ending with ‘.php’
Delete it. No farking around. Make ‘Pew Pew Pew’ noises. Have fun with it. You know you want to …
v) Check, check and check
If you know what you are doing, you can use geeky tools to search for the strings above in your backup to make sure you’ve missed nothing.
Now open your blog via its normal URL, and make sure it’s all working.
2. Update WordPress
Because your site’s been compromised, We didn’t trust the WordPress built in scripts. But if you’ve done the job right, you should be fine logging into your blogs admin pages.
When I first did this, the pages looked freaky, and Firefox and/or its ‘NoScript’ plugin was telling me that I was being blocked from a nasty site. So I went back and found more infected files that I missed.
When you catch them all (‘Pokemon!’), it should look fine.
Now, find the update links and do it.
FYI: I was brave and stupid and updated wordpress manually (do a google). I don’t want to do it again. Ever. Thank googleness for the backup. I thought I broke it (and feared for my life!).10 mins of sweat induced keyboarding, and we was back in business.
I had to replace cleaned config files from said backup to the site – again, google is your friend.
3. Change Passwords
Wordpress and FTP.
a) Wordpress – you can do yourself in the admin pages.
b) FTP – Gooooooooooooooogle. Some sites, you can do it, others – only the system administrator can. By nice to your sysadmin. What they lack in social skills, they make up for in memory. Looooooooooooooong memories. Longer than Gooooooooooooooogle. Freakin’ Looooooooooooooooooooooooooooong.
So, that’s it. Good luck then, and off you go blogging.
Just update WordPress and backup more often. ‘K? Thx.
~~~~~~~~~~~~~~~~~~~~~~~~
Many thanks to NathanelB on Twitter for the links to the freaking AWESOME websites, Joyce for the heads up on the malware thingy, Sue for handholding and advice and ALL my Twitter and Facebook peeps for keeping me sane and sending hugs.
{ 24 comments… read them below or add one }
Great to see that you were able to fix the mess that some piece of crap created. Just reading the above post had me confused and left with a migraine, so i can only send sympathies, hugs and a bucket load of coffee and chocolate to you and your awesomeness.
Nicole Beltane´s last blog ..November 15 2009 – More Christmas Decorations
[Reply]
Hooray! I can see your blog again!
Mwah
[Reply]
Scum sucking arseholes…no match for Teh Awesome Heeled One!
Jayne´s last blog ..November is sixteen going on seventeen but Jane Austen says grab Pakenham’s gorgeous Bridge!
[Reply]
Yay, glad to hear you’re back in business.
Veronica´s last blog ..Yesterday…
[Reply]
Glad to hear your back and porn free again!
Fern´s last blog ..The Daily Battle
[Reply]
Haha, I got a “Sorry, you’re comment has been blocked because it featured the word ‘porn’, are you sure you want to go ahead?” message from Wordpress. The lolz were strong.
[Reply]
Gawd Kell – I didn’t understand 1 word of all that!!! I sure hope it doesn’t happen to my blog. *sigh*
Go you on getting it fixed though!!!!
Lightening´s last blog ..What’s Santa Up To This Year?
[Reply]
I have no clue what the fuck any of that means. I am just glad your blog is all cleaned up.
Kel´s last blog ..A cookie or a biscuit or whatever
[Reply]
die fuckers! Down with the hackers.
AmberDBTD´s last blog ..Defining "advocate"
[Reply]
By the looks of it this hack is happening only to those who are hosting their web site on MediaTemple.net. No one outside of this site has complained of the exploit happening to them.
[Reply]
Dude, you SMART. I am so not a L33t H@xz0r. I’m a n00b. I hope this doesn’t happen to me!
The Accidental Housewife´s last blog ..Pizza
[Reply]
I have been contemplating starting a blog.. I’m what I think you bloggers call a lurker.. I very rarely comment but I am an avid reader.. I think the above post has just decided for me.. This shit is all a little too complicated and I think I’ll go back to lurking..
[Reply]
Excellent explanation of how to fix the problem – please ignore my FB message asking you how you did it
I use the plugin wp-backup to send me a copy of my database, by email, weekly and make sure I have a copy of my current template on my hardisk. Hostgator does a weekly backup too so if all else fails I can pay them $15 to restore their backup for me but last time I had a nasty they did not charge me to reinstall my own backup.
Glad to see you up and running again.
Sue´s last blog ..Firefox Collections and Social Networking
[Reply]
Oh shit. I lost you right after, “Over to you, MB2 support…”.
I’m too fuckin stupid to have that much trouble…. Yeah. I’m safe.
Krissa´s last blog ..Dippy, disturbing, undomestic daughter… or Keelan.
[Reply]
I understood maybe 5% of all that, so I think I’ll stick with non-blogging, thanksverymuch, and regular backing up of files to my external hard drive. I have many, many family photos scanned in that I couldn’t bear to lose, including family tree stuff dating back to 1834. I had a trojan infection earlier this year and emailed a local computer doc who helped me clean it up. I didn’t have to do anything like what you’ve detailed above, just downloaded a program he recommended and set it working. Now it does a full scan once a week. So far, so good.
[Reply]
I get a headache even attempting to read all that stuff whatever it means. However if it solved your problems its all good then
Ian´s last blog ..Still in China
[Reply]
If I can follow it, ya’ll can.
Yeah, I am invoking my inner Texan.
Cause that is how I speak in my head when doing techie stuff.
[Reply]
Phew well done you! I’m with Ian though – headache even from *reading* that! >_<
Marylin´s last blog ..Weekly Winners: Max Edition
[Reply]
You are just very clever solving it all! And it is showing in my rss reader thingy again too so is rooly trooly fixed!
Fiona (Ms Fifikins)´s last blog ..Doorways
[Reply]
You realise you have the blogging equivalent of the clap.
Tramp.
Martin´s last blog ..Stubbing toes on both left feet
[Reply]
Holy shit Batman. You really did all that? Muy Impressed, here.
[Reply]
You got that sorted quickly!! Sounds like a heck of a polava though
[Reply]
Pie equals em cee squared.
No idea what happened or how you fixed it.
I wanna know why these feckers do this kind of stuff? It’s juevinile and ridiculous
Nikki aka Widdle Shamrock´s last blog ..Life and life
[Reply]
You have got to be kidding…this makes you even more awesome because I would just close my blog and start a new one and say screw it to the history…I mean, I can’t even download a song..glad you got your site back to where you want it to be…WHEW!
Hotmamamia´s last blog ..Thanksgiving Trifle; easy as pie
[Reply]