csrollyson

I help leaders to make their firms or agencies stronger by leveraging disruptive technology ahead of their competitors. I work extensively with enterprise social networking (& Web 2.0) strategy and execution. My two main paths to market are the Social Network Roadmap and the Executive's Guide to Web 2.0.

I also write an online journal for CEOs, CMOs and CIOs.

Live 2012's best practices now.

Mon Mar 15

March 2010 Malware Attack Journal

Over the weekend, two of my blogs sustained an insertion attack, so I’m sharing my experience here in case it helps you. Here is my account of my maiden voyage with an injection attack, including extensive resources for remediating an attack.

Here’s what happened this time.

3/14/2010

Upgraded to wp 2.9.1 via netsol console (all blogs)

**this is the last time I will upgrade w/o backing up site first**

Separately, I added wptouch plugin to all blogs. I downloaded it from a link from wordpress.org, a trusted source.

Globalhumancapital.org started getting hit by a ton of fake bot comments; also executivesguide-linkedin.com. A LOT. So I went to check akismet..

3/15/2010

When hitting ghcj and egtw, got this error:

“Fatal error: Call to undefined function f() in /data/12/0/95/60/747549/user/763847/htdocs/blogegtw/wp-content/themes/atahualpa332/header.php on line 837” on egtw

Received identical message, with a couple of number changes, on globalhumancapital.org

All other blogs fine.

Going in through the WP admin panel, I noticed plugin with different encoding. And, all my other plugins had been deactivated.

The fake plugin, WP-NoRef, resided in ghcj and egtw directories; not in any other blogs, so assume this was injection attack, and this file rewrote some code that broke the templates.

I copied the WP-NoRef malware code, put in a text file on my Mac, and removed both of them via my ftp client.

This was actually about 2 a.m., and I was exhausted; didn’t feel like I had the mental energy to deal with it effectively.

Temporary Victory

Took globalhumancapital.org offline with the .htaccess file. From my last injection attack, I learned that these bots like to put their nastiness in WordPress’s footer.php and header.php files, so I started by comparing the code of a healthy site (executivesguide-facebook.com) with the infected sites.

Bingo. Each header file had been completely rewritten with massive amounts of junk. It was a crude attack; the smart ones are hidden and don’t alert you by breaking your blog, they prefer to sit in the background.

So, I replaced the Atahualpa and Atahualpa332 header.php files. I conclude that they were loaded by WP-NoRef, which had installed itself in the plugins directory of the 2 affected blogs, but not in my other wp blogs, which were okay. Remember, I upgraded all blogs from netsol admin console at the same time.

Now the question is, now did it install itself? By no means celebrating. I have to find out how to prevent this type of thing; had already locked down permissions last time.

Live Journal

I will keep you posted here on things I find and things I do for prevention.

Update

Here are preventative measures I have taken so far:

  • Changed ftp passwords on all blogs, using the maximum number that my hosting provider would allow
  • Changed wordpress passwords of all users, using maximum number of spaces allowed
  • Installed four new wordpress plugins: wp-firewallwp-spamfree, wp-securityscan and wp-malwatch
  • Reactivated plugins, especially akismet