RSS Feed for This PostCurrent Article

Blog Slaughter – Nasty, Nasty Virus on all Three of my Blogs

By on Apr 17, 2010 in Blogging Tips

Photobucket


I’ve been down for a little while because of ANOTHER nasty virus. At first my site was redirecting to bing.com.  I went into my blog editor and removed a code from every page of the editor that looked like 20 lines of letters.  Of course the next morning it was back.  My husband had to go to the host and restore the blog to a couple days before the virus.   Luckily with Godaddy this was easy.

At first I thought I caught this from dropping cards and surfing sites at EC, Adgitize or CMF but after doing a little research I think this was done by hackers who where able to figure out passwords on hosting accounts.  I was able to find a lot of other bloggers who were going through this exact same thing.  I wish I knew enough to tell people how to fix this but the best advice I can give is to marry a geek.

Just in case this happens to you – John from Daily Photo Gallery was nice enough to do a little research and found some links to others who are talking about this hack.

http://wordpress.org/support/topic/388369

http://forums.digitalpoint.com/showthread.php?t=1770144

http://forums.overclockers.co.uk/showthread.php?t=18128737

So now that I have this fixed I need to figure out how I can stop it from happening again.  There’s got to be a way to protect a website from these evil bottom crawlers.

I was able to find a few tips on WordPress.org

Some steps to take

  • Stay Calm
    • You have to stay calm to be able to deal with this situation. The first step before you respond to any security incident is to calm yourself down to make sure you do not commit any mistakes. We are serious about it.
  • Scan your local machine.
    • Sometimes the malware was introduced through a compromised desktop system. Make sure you run a full anti-virus/malware scan on your local machine. Some viruses are good at detecting AV software and hiding from them. So maybe try a different one. This advice generally only applies to Windows systems.
  • Check with your hosting provider.
    • The hack may have affected more than just your site, especially if you are using shared hosting. It is worth checking with your hosting provider in case they are taking steps or need to. Your hosting provider might also be able to confirm if a hack is an actual hack or a loss of service, for example.
  • Change your passwords.
    • Change passwords for the blog users, your FTP and MySQL users.
  • Change your secret keys.
    • If they stole your password and are logged in to your blog, even if you change your password they will remain logged in. How? because their cookies are still valid. To disable them, you have to create a new set of secret keys. Visit the WordPress key generator to obtain a new random set of keys, then overwrite the values in your wp-config.php file with the new ones.
  • Take a backup of what you have left.
    • If your files and database are still there, consider backing them up so that you can investigate them later at leisure, or restore to them if your cleaning attempt fails. Be sure to label them as the hacked site backup, though…
  • Read Donncha O Caoimh’s guide on what to do.
    • Donncha wrote a good article on what to do if you suspect a hack, it is well worth reading through and acting on, as it goes into more depth than this page.
  • Check your .htaccess file for hacks.
    • Hackers can use your .htaccess to redirect to malicious sites from your URL.
  • Consider deleting everything.
    • A sure way to remove hacks that currently exist, is to delete all the files from your web space, and clear out your WordPress database. Of course, if you do this, you would need backups to restore to, so …
  • Consider restoring a backup
    • If you restore known, clean, backup of your WordPress Database, and refresh your WordPress, plugin and theme files through FTP, that will ensure all those bits are clean of malicious code. At the very least …
  • Replace the core WordPress files with ones from a freshly downloaded zip.
    • Replacing all your core files will ensure nothing is left behind in them in a hacked state. Remember to replace plugins and theme files, too.
  • Upgrade!
    • Once you are clean, you should upgrade your WordPress installation to the latest software. Older versions are more prone to hacks than newer versions.
  • Change the passwords again!
    • Remember, you need to change the passwords for your site after making sure your site is clean. So if you only changed them when you discovered the hack, change them again now.
  • Do a post-mortem.
    • Once your site is recovered, check your site logs to see if you can discover how the hack took place. Open source tools like OSSEC can analyze your logs and point you where/how the attack happened.

Any Advice??



Related posts:

  1. Nasty New Entrecard Trend
  2. 3 Awesome SEO Plugins for Your WordPress Blog
  3. Best Blog Tools – Different Basic Tools to Maintain Your Blog
  4. Hitting Your Stride: Four Keys to Timing Your Blog

Trackback URL

Related Posts

  1. 21 Comment(s)

  2. By Lynne on Apr 17, 2010 | Reply

    I saw the same thing on quite a few blogs with the same problem yesterday. It’s such a shame that there are people who actually get their kicks from ruining the hard work of others. Glad you got it taken care of.

  3. By Larry Brauner on Apr 17, 2010 | Reply

    I noticed that you were having problems on all your blogs. Happy everything is back to normal.

  4. By Lainy on Apr 17, 2010 | Reply

    Glad everything works well now.

  5. By Chinaren on Apr 17, 2010 | Reply

    I’ve had sites hacked like this before too. Unfortunately there’s only a limited amount you can do.

    One thing is to ensure you have the latest versions of your software downloaded. However, some of the protection needs to be at the ISP side of things.

    When this happened to me last year I ended up moving hosts.

  6. By bluecrystaldude on Apr 17, 2010 | Reply

    Wow. No wonder I was redirected to Bing few days ago. Glad everything is working well now

  7. By Morten Pedersen on Apr 18, 2010 | Reply

    There isn’t any more advise to give you than Chinaren allready have give you. This one you can blame the ISP as long as you have the blog software up to date and your passwords are strong enough.

  8. By June Zach on Apr 18, 2010 | Reply

    I was about to send you a message yesterday about the issue. I checked this site and got an error 404 while your other two blogs were redirecting to bing.com . If the attack was done through hacking accounts then the best way to prevent it the next time around would be to regularly update your passwords- FTP, WordPress, email, hosting account, etc. Malware could be anywhere and could easily be spread so an updated high Anti Virus would be of great help.

    Glad that you are back up and running now!

  9. By John on Apr 18, 2010 | Reply

    I’m pleased you’ve managed to get rid of it. I don’t really understand what motivates people to hack blogs. What’s the point? :-(

  10. By Harriet on Apr 18, 2010 | Reply

    Holy smoke! The same virus hit me!
    I had to uninstall everything including WP and reinstall it! That nasty code was in every php file! I host with GoDaddy on Linux. I actually think the virus may have come via a spam message that was left in my spam folder.
    Glad you’re okay but, wow, what a pain!

  11. By Sheila on Apr 18, 2010 | Reply

    Lynne – I just wonder if it affects your blog when you open another blog that has already been affected – is that how they are infecting so many? If so then it’s almost impossible to stop this thing.

    Larry – Thanks!

    Lainy – Thank you!

    Chinaren – I thought about moving hosts until I started reading about other people who had this problem – it’s everywhere – all different hosts

  12. By Sheila on Apr 18, 2010 | Reply

    Morten Pederson – I think I’ll start changing passwords weekly.

    John – I don’t have a clue – There doesn’t seem to be any point to this at all.

    Harriet – I wish I could figure out where it came from. I feel like I’m just sitting back waiting for it to happen again.

  13. By Sheila on Apr 18, 2010 | Reply

    Bluecrystaldude – Thanks!

    June Zach – Thanks for the tips.

  14. By David Funk on Apr 18, 2010 | Reply

    Like everyone else, I was wondering why I couldn’t access this site. But glad to hear the problem is taken care of.

    Have a good week my friend!

  15. By mrsblogalot on Apr 19, 2010 | Reply

    Wow! And I thought my husband was paranoid for nothing…this is not nothing. Glad you are back up and awesome job on the help links.

  16. By InspirationsUnlimited on Apr 19, 2010 | Reply

    Nice info!
    it’s sure, once I encounter that kind of virus, I’ll go into this link for help.
    Thanks!

  17. By Jen on Apr 20, 2010 | Reply

    I’m glad you got it fixed. This kind of thing just pisses me off. What can they possibly get out of terrorizing a blogger?

  18. By Kay | Window Cling Printing on Apr 21, 2010 | Reply

    This is such a hassle since you have to take a bunch of steps to turn everything back to normal, But I am glad that everything is fixed now and thank you for sharing the tips that we can do when we encounter the nasty virus.

  19. By mel on Apr 21, 2010 | Reply

    glad u were able to fix it back again. viruses are such a disaster, really

  20. By John on May 11, 2010 | Reply

    Sorry to tell you this, but you’re infected again :-( Redirects to realsafe-23 :-(

  21. By Sheila on May 12, 2010 | Reply

    John – thanks! I don’t even know what to say anymore. This sucks – but it’s fixed.

  22. By tonyknuckles @113Tidbits on Jul 2, 2010 | Reply

    Glad to see you’re up on all this craziness as well.

  1. 2 Trackback(s)

  2. Apr 18, 2010: What do you mean by Classical Education? « a mission-driven life | Educational Georgia
  3. Apr 24, 2010: How to transfer Ipod to new computer from a crashed computer? | Keen Computer Shop

Post a Comment

UA-4265605-2