The shop sulks empty during the summer travel and swimming season. A little wood butchering happens from time to time, and when I come back to write about it, I find the blog a mess. Hmmmm, I wonder if the NSA has a mailing list that can let me know when this happens?
A hacker, with IP addresses in Brooklyn, and no ethics, infiltrated the blog (and a few other WordPress sites I keep for my own use) with malware. These guys seek out all sorts of security weaknesses to squeeze into blogs and do their nastiness. I usually keep my blogs locked down pretty tight, and I ~~~think~~~ this guy slipped in through a very tiny weakness in (of all things) that really thorough security plug-in I use. What irony! They’ve closed that hole and life goes on.
These hacks are not new to me. I’ve removed several in the past. While removing them, I nose around a bit to see how they work. All hacks find their way in (into WordPress blogs, at any rate) through various methods. Sometimes, sheer carelessness of using a common administrator ID, “admin,” and a easily broken password is enough. Other times, they need to work harder. This guy had to work pretty hard.
Once in, they start with a simple script (PHP module) that drags in all the rest of the stuff they need. That stuff is almost always a variety of PHP files with names that look right at home within a WordPress installation (options.php, templates.php, etc.) The stuff is also scattered among various directories so it isn’t easily obvious, and to thwart easy removal.
This particular infection has the goal of delivering what I call “malware bombs.” If you have ever suffered one of these, you know what I mean. They infect hapless users, display a very authentic looking “you’re infected” anti-virus screen, and then proceed to lock up everything you attempt until you buy their cure for (usually) about $75. The “cure” clears the problem, erases the evidence, and you’re on your way again, poorer by $75 … and no more secure than before, ripe for yet another picking.
How does that bomb get to the hapless user? The other part of the blog infection is one that places about 1000 redirects to “advertising” pages on the blog. Each of those is to big brand names in all sorts of industries, fashion, autos, real estate, financing, etc. Each of those advertising pages will load a “malware bomb” appropriate to the end victim’s PC.
The last part of how it works is “volume.” The hacker infects as many blogs as possible, sometimes thousands. Immediately after each blog is infected, a simple transaction notifies search engines that there’s new material (those advertising pages) to index. The same sort of redirects on thousands of blogs serve to reinforce the search engine ranking and the likelihood that they will serve those results. Once indexed, hapless users trip across the loaded pages and “Ka-Bam!”
Cleanup on my end consists of completely erasing EVERYTHING, installing fresh new software (clean and virus checked), and refreshing the content by restoring a pre-infection backup of the database, and reloading all the other content related (clean and virus checked) files. If my time is worth 13 cents an hour, this part of the mess cost about $0.91. 🙂
Yes, I spent far too long analyzing logs, peering into the methods, and cleaning up the mess. One of the most interesting things I found in the logs was the hacker worked from two IP addresses in Brooklyn and checked at least twice a day to see if his (assumption) handiwork was still in place. Interestingly, the checking was done from an iPhone, and any nasty detail work by a Windows PC. After all was removed, he still came back, this day checking every half hour for a few hours until he had enough 404s to drive him away.
I wish I could have sent more than 404s! I offered logs to my service provider, as evidence if they wanted to pursue him. Sadly, all they care about is getting the #### off their servers.
Next…. what I really intended to write about, a nice little box with a carved lid.