Hacked and Back

Jul 02 2012

I’ve been delinquent, I know. No posts for a long time. Just busy being me…. and then yesterday I read a post from Steve, another Alaskan blogger, reporting on a message he received from one of his readers telling him about a warning message which said that whatdoino.steve.blogspot.com has content from borderland.northernattitude.org, a well-known malware distributor.

I was on my way out the door, and figured it was some kind of hoax. Yeah. On me.

Later on, curious, I looked at my blog and got blasted with the warning myself. I didn’t know what was going on, since I haven’t worked on the blog for such a long time. I clicked past the Warning – visiting this web site may harm your computer! message, and found the formatting on the control panel was totally gone. There was no way to make anything happen there. The blog’s front page didn’t look bad, though.

Eventually, I decided to log onto the web host’s cpanel and check some of the WordPress files. Lots of strange code there which had a monster string of text following “eval base64_decode” in dozens of files mostly in my wp-content directory, and also in the config file. These are all files that are left as-is during software upgrades since they contain the themes and plugins that allow users to customize their blogs. A regular software update wouldn’t touch them.

My first thought was, “Oh well, this might help with some of my writer’s block angst. I could just trash the whole thing.” But that was just my first thought. I looked at the WordPress support pages and located a My Site was Hacked advice page. All right. Some direction, at least.

For starters, I ran some Sophos Anti-Virus software I found on my computer to see if my own machine was OK. It located a couple of files squirreled away in the Firefox profile directory that should not have been there. I dumped them, and then took care of the infected files on the server. I deleted ALL of the WordPress files and rebuilt the whole site today with a new config file. I took some precautions against repeated attacks, but I have no idea if this fix will hold. I’ve lost the links page, and there are probably several posts without images, since I recklessly deleted everything wholesale. I got back the posts and the comments, which is all that really mattered to me.

Google is still listing this site as possibly infected.

I’ve requested a Malware Review, but I don’t know how long it might take to clean this mess up. Anyone with a link in their blogroll here should probably delete it, since the google warning might mess with traffic to that site. Otherwise, know that I’m working on it, and to the best of my knowledge, it’s been dealt with. I’m sorry for any trouble this might be causing anyone else. I’m really grateful to Steve for his post about this, and for the helpful email he sent me. According to my server log, most of the mischief was done just a couple of days ago.

Borderland is on ice for now. (Not that it’s been very hot here lately.) I’ve backed everything up and locked things down, but I don’t know if the hackers still have a way in. I can re-install everything in quick order now that I know what to do. But I’m not ready to write more here just yet.

I started a new blog at WordPress.com, where I won’t have to think about server-level security issues. I plan to blog there until further notice. Just a “Hello World” post up there now. I’m going to take a little more eclectic approach to the subject matter there than I have with Borderland, and see how it goes. Might be fun.

One response so far

  1. [...] far, so good. Borderland has remained secure since I cleaned it up yesterday. And no more malware warnings from Google. [...]