This blog is clean of malware. However, that wasn’t the case last night, so if you saw weird behavior when visiting before today, that may be why. And if you see weird behavior moving forward, please leave a comment and let me know! Here’s what happened:
Last night, while I was preparing the bus post, I noticed that sometimes when I went to the main site, I would get redirected to some spammy rr.nu domain. I thought it was a fluke the first time it happened, but then it happened two more times. Around this time, one of my friends was encountering Google warning them away from the blog, like so:
It turns out that at some point in the last few days, stevenglassman.de was hit by malware. I believe most of the changes were from February 21st, but it might have been earlier. I’m not certain of the point of entry, but a lot of things needed to be updated, so it might have been as simple as php injection. When I noticed this, I did a reinstall of all the core WordPress files, and I also reinstalled the theme that I’m using. This killed off most of the badness, but I was still seeing spammy rr.nu links at the bottom of every page. In addition, something was generating a .logs directory which contained a list of the spammy links. When I deleted that directory, it came right back.
Ultimately, I did all of the following-
- Deleted all of the themes except the one I’m using.
- Removed ALL of the plugins except for Akismet (anti-spam) and Jetpack (statistics).
- Removed Jetpack and installed it fresh.
- Changed my MySQL password.
- Changed my web user password.
- Changed the blog password.
- Disabled FTP for my web user entirely. (I never use it anyway; I rsync or scp files.)
- Went through individual files all over the server and pulled out obfuscated base64 code that was designed to cause more mayhem.
- Didn’t get a lot of sleep.
By the time all of this was done, the spam link finally stopped appearing at the bottom of every page on the site. The .logs directory stopped being regenerated. I haven’t lost any of my posts, and everything else seems to be intact. However, I’ll be re-setting lots of tiny things over the next week or so, reinstalling Wordbooker and lj-xp (my crossposting plugins), and so forth.
On the plus side, this clean start gives me the opportunity (I choose to call it an opportunity) to work on some design elements of the blog that I’ve been procrastinating.
We now return you to your regularly scheduled blogging about life in Regensburg, Germany.
9 thoughts on “Administrative note: The blog is recovering from malware.”
My condolences. I didn’t get this exact issue, but I did change all my passwords after the breach announcement a few weeks ago. Then I got an email from an online gambling webmaster that let me know I had some hidden redirects that were pointing to his sites and damaging their reputation. I did many of the same things you did, except I didn’t reinstall WP. I offloaded all unneeded themes and plugins, updated everything else. While I was at it, I deleted all the aborted and obsolescent websites I’ve built over the years and removed any unneeded accesses. I hope that’s the end of it.
When I started digging in, I found that there were shell scripts and other bad mojo in my other sites as well, dating back to well before this blog existed. January 2011, to be specific.
I believe the original attack vector was not anything I did, because I never used php on any of my sites before WordPress; I believe that the original vector was the little image script that Victor put on BocaMenus.com back when he was running it for me.
I’m shocked! Steve was exploited! 😮
Steve dealt with it swiftly and effectively, and his google malware alert lasted only a few hours.
Are you still with DreamHost? I got a notice to change all my passwords a couple-three weeks ago. That was lots of fun, coming up with new FTP passwords for all the domains I’m holding.
Yes, I’m still with Dreamhost. I don’t think this was related to that, to be honest.
Steve, thanks for the suggestions. I did the exact same thing…PLUS I found a script here: https://github.com/walkeralencar/rrnuVaccine . Initially the script didn’t work, but I went in and found the base 64 code and switched the code in my infected files and it worked flawlessly.
I’m glad my post was helpful to someone. This infection was a huge pain.
By the way, this blog has been really informative about this sort of thing: http://blog.unmaskparasites.com/
Comments are closed.