This blog is clean of malware. However, that wasn’t the case last night, so if you saw weird behavior when visiting before today, that may be why. And if you see weird behavior moving forward, please leave a comment and let me know! Here’s what happened:
Last night, while I was preparing the bus post, I noticed that sometimes when I went to the main site, I would get redirected to some spammy rr.nu domain. I thought it was a fluke the first time it happened, but then it happened two more times. Around this time, one of my friends was encountering Google warning them away from the blog, like so:
It turns out that at some point in the last few days, stevenglassman.de was hit by malware. I believe most of the changes were from February 21st, but it might have been earlier. I’m not certain of the point of entry, but a lot of things needed to be updated, so it might have been as simple as php injection. When I noticed this, I did a reinstall of all the core WordPress files, and I also reinstalled the theme that I’m using. This killed off most of the badness, but I was still seeing spammy rr.nu links at the bottom of every page. In addition, something was generating a .logs directory which contained a list of the spammy links. When I deleted that directory, it came right back.
Ultimately, I did all of the following-
- Deleted all of the themes except the one I’m using.
- Removed ALL of the plugins except for Akismet (anti-spam) and Jetpack (statistics).
- Removed Jetpack and installed it fresh.
- Changed my MySQL password.
- Changed my web user password.
- Changed the blog password.
- Disabled FTP for my web user entirely. (I never use it anyway; I rsync or scp files.)
- Went through individual files all over the server and pulled out obfuscated base64 code that was designed to cause more mayhem.
- Didn’t get a lot of sleep.
By the time all of this was done, the spam link finally stopped appearing at the bottom of every page on the site. The .logs directory stopped being regenerated. I haven’t lost any of my posts, and everything else seems to be intact. However, I’ll be re-setting lots of tiny things over the next week or so, reinstalling Wordbooker and lj-xp (my crossposting plugins), and so forth.
On the plus side, this clean start gives me the opportunity (I choose to call it an opportunity) to work on some design elements of the blog that I’ve been procrastinating.
We now return you to your regularly scheduled blogging about life in Regensburg, Germany.