Summer interlude

The shop sulks empty during the summer travel and swimming season. A little wood butchering happens from time to time, and when I come back to write about it, I find the blog a mess. Hmmmm, I wonder if the NSA has a mailing list that can let me know when this happens?

hackedA hacker, with IP addresses in Brooklyn, and no ethics, infiltrated the blog (and a few other WordPress sites I keep for my own use) with malware.  These guys seek out all sorts of security weaknesses to squeeze into blogs and do their nastiness. I usually keep my blogs locked down pretty tight, and I ~~~think~~~ this guy slipped in through a very tiny weakness in (of all things) that really thorough security plug-in I use. What irony! They’ve closed that hole and life goes on.

These hacks are not new to me. I’ve removed several in the past. While removing them, I nose around a bit to see how they work. All hacks find their way in (into WordPress blogs, at any rate) through various methods. Sometimes, sheer carelessness of using a common administrator ID, “admin,” and a easily broken password is enough. Other times, they need to work harder. This guy had to work pretty hard.

Once in, they start with a simple script (PHP module) that drags in all the rest of the stuff they need. That stuff is almost always a variety of PHP files with names that look right at home within a WordPress installation (options.php, templates.php, etc.) The stuff is also scattered among various directories so it isn’t easily obvious, and to thwart easy removal.

This particular infection has the goal of delivering what I call “malware bombs.” If you have ever suffered one of these, you know what I mean. They infect hapless users, display a very authentic looking “you’re infected” anti-virus screen, and then proceed to lock up everything you attempt until you buy their cure for (usually) about $75. The “cure” clears the problem, erases the evidence, and you’re on your way again, poorer by $75 … and no more secure than before, ripe for yet another picking.

How does that bomb get to the hapless user? The other part of the blog infection is one that places about 1000 redirects to “advertising” pages on the blog. Each of those is to big brand names in all sorts of industries, fashion, autos, real estate, financing, etc. Each of those advertising pages will load a “malware bomb” appropriate to the end victim’s PC.

The last part of how it works is “volume.” The hacker infects as many blogs as possible, sometimes thousands. Immediately after each blog is infected, a simple transaction notifies search engines that there’s new material (those advertising pages) to index. The same sort of  redirects on thousands of blogs serve to reinforce the search engine ranking and the likelihood that they will serve those results. Once indexed, hapless users trip across the loaded pages and “Ka-Bam!”

Cleanup on my end consists of completely erasing EVERYTHING, installing fresh new software (clean and virus checked), and refreshing the content by restoring a pre-infection backup of the database, and reloading all the other content related (clean and virus checked) files. If my time is worth 13 cents an hour, this part of the mess cost about $0.91.  :)

Yes, I spent far too long analyzing logs, peering into the methods, and cleaning up the mess. One of the most interesting things I found in the logs was the hacker worked from two IP addresses in Brooklyn and checked at least twice a day to see if his (assumption) handiwork was still in place. Interestingly, the checking was done from an iPhone, and any nasty detail work by a Windows PC. After all was removed, he still came back, this day checking every half hour for a few hours until he had enough 404s to drive him away.

I wish I could have sent more than 404s! I offered logs to my service provider, as evidence if they wanted to pursue him. Sadly, all they care about is getting the #### off their servers.

Next…. what I really intended to write about, a nice little box with a carved lid.

4 Responses to “Summer interlude”

  1. data|recovery|drive|services|computer|undelete|fix|repair|rescue|retrieve|clicking|format|recovery|backup|ide|sata|scsi|tape Says:

    Thanks , I’ve just been searching for information about this subject for ages and yours is the best I’ve came upon till now. However, what about the conclusion? Are you certain concerning the supply?|What i do not realize is actually how you are now not really a lot more neatly-liked than you might be now. You’re very intelligent.

  2. Brian Eve Says:

    I have to say, a bit of SPAM as your first response to this post is pretty funny.

    Spam has been plaguing my blog, too. I think it makes my blog look a lot more popular than it really is. Good luck keeping the dirtbags away from your blog.

    Now, back to woodworking…

  3. Bob Says:

    Hi Brian,
    AKISMET usually catches that sort of spam … at least about 99 44/100ths. Sometimes it retroactively recognizes it and clears it. In this case, I think I’ll leave it for the humor value. :)

    I really like Akismet (a standard for many WordPress blogs) because it is a community based filtering system that is quite good.

    You, on the other hand use Blogger, and it is HORRIBLE with spam! It’s really sad how they handle spam, pushing the responsibility off to blog authors or readers. I find CAPTCHAs abominable and won’t tolerate them. (From a prior life as an accessibility specialist; CAPTCHAs are an absolute barrier for many people with disabilities.) Blogger as part of Google, has access to a most excellent spam filter (in GMail) but so far has refused to use it.

  4. Brian Eve Says:

    I agree. I hate CAPTCHA, too. I don’t use it.

    However, Blogger hasn’t been doing too bad a job with my blog. I get a buttload of spam, but very little of it gets posted.

    The bigger problem is with false positives. I had to pull out a comment from the spam box from Shannon Rogers once, and also a reply from me! On my own blog!