Taylor Davidson
About
Blog
Projects
Financial Models
How I recovered from a Malware attack on my WordPress site

Not this site, luckily. This one. Fit as a fiddle now, but here’s how I fixed my WordPress blog to recover from a malware attack.

The other day I got an odd email from Google Webmaster Tools telling me NOLAlicious was infected with malware. Given the sample of infected pages the email reported, I knew the old, neglected WordPress install had been compromised. Since the current site isn’t run from the neglected WordPress, it was an easy fix: delete the WordPress. Done. Submitted a request through Google Webmaster Tools to review the site. Hour or so later, all fixed.

Later that night at 1:30 AM I got a second email reported a malware infection, but this time for my blog on Unstructured Ventures.

Email from Google reporting malware

Hmm. Deleting isn’t an option here. At one time, that blog was my main voice for analysis and commentary about business, entrepreneurship and venture capital, and was ranked in the top 30 VC blogs (and still in the top 50, according to one site). Although I don’t blog on this site anymore, it’s still garners a significant amount of traffic.

Thus, this wasn’t going to do:

Reported Attack Site

So I dug into Google on two fronts: exploring Google Webmaster Tools, and searching for terms to figure out how to fix my WordPress blog from a malware attack.

Google Dashboard

Google Webmaster Tools

Google Webmaster Tools had a range of articles, links and advice about assessing the damage, cleaning a website, and resubmitting it to Google once it’s cleaned.

I ended up depending on two articles to understand and find the sources of malware on my website: Mediatemple’s Recovering from a site compromise and StopBadware’s Tips for Cleaning and Securing your site proved tremendously valuable for me.

Google’s Webmaster Tools also helped me understand the source of the infection and test my revisions. The Malware diagnostics page (under “Diagnostics” on the Google Webmaster Tools Dashboard) allows one to understand which pages are infected; the Fetch as Googlebot tool under “Labs” on the same dashboard) is a great way to “see the page that Google sees” for an infested site. Unable to safely view the page in my browser, I was able to use the Fetch as Googlebot option to look at infected pages and find the offending code.

Safe Browsing

I originally searched for a hidden iframe in my WordPress PHP code, but didn’t find anything. My second route, searching for unescape() and eval() javascript functions, quickly led me to the javascript function creating a huge block of obfuscated code right after and before the body and /body tags, respectively.

FTP’ed in, fixed the code in the WordPress PHP scripts, re-uploaded and tested the site with the Fetch as Googlebot tool: clean. Submitted a request for Google to review the site, and a couple hours later, the malware attack notices disappeared.

Clean. Done. Right? We’ll see.

Addendum

Well, that lasted a week.

Another “Malware attack” email from Google Webmaster tools pointed out that I only cleaned up my site half-way.

So I started digging again to find out what was wrong.

In response to a question about security, Mediatemple actually sent me a useful email that detailed out some helpful links, captured below:

To begin moving forward, we strongly recommend that you utilize this article to work on recovering from a site compromise:
http://mdtm.pl/9wZwhZ

If you happen to be running WordPress, and you have noticed the appearance of an unexpected WordPress user in your database, for example “johnnyA”, “johnnyB”, or “amin”, you will want to remove those users as soon as possible. Also, here is a third-party article that you may find helpful in removing any injected code:
http://mdtm.pl/a9B5YF

If you are experiencing a “redirect hack”, in which your domain is unexpectedly redirected to an external site, please go here:
http://mdtm.pl/97iaeu

Here are instructions on how to “harden” a WordPress blog:
http://mdtm.pl/92GwYG

Additional WordPress hardening suggestions:
http://mdtm.pl/9py2Mj

For a helpful list of security best-practice articles and additional security information related to (mt), visit our newly created security resource in the (mt) wiki:
http://mediatemple.net/security

To get a wide view of more of our most recent security-related efforts, please take a look at this comprehensive blog post regarding security at (mt):
http://mdtm.pl/9gx2GB

Lastly, if you do not feel comfortable resolving compromise-related issues yourself, Sucuri.net has extended a substantial discount on their scan/cleanup services for (mt) customers:
http://sucuri.net/mediatemple

And once I started digging in, I realized I had fallen prey to the JohnnyA attack.

Using the info about JohnnyA WordPress malware on MediaTemple, I ran a search for “eval(” and found three infected files tucked away in various parts of my WordPress installation.

Re-cleaned the HTML, cleaned the PHP, re-uploaded, and everything worked again.

I then looked further into hardening WordPress, listened to Brad Williams on WordPressTV, from WordCamp Boston 2010, and took a serious look at Sucuri, making more changes and modifications to lock some things down further.

Done. For now.

When did we all have to learn to be webmasters? Sheesh.

Posted August 11th, 2010 in Announcements, Perspective. Tags: , , , , .
Hello, I'm Taylor Davidson.
I'm an early-stage VC and a photographer. If you liked this post, please subscribe to this blog. For more like this, check out the archives, and follow me on Twitter @tdavidson.
  • David

    I have several websites that were infected with Malware on April 5th, 2011. However I did not realize that my websites were compromized until 2 weeks later when I was trying to show my site to a friend and I saw the google malware alert. Now I think the name of the malware was a little different, something like albetternet and when I tried to download the infected site files from my ftp my pc antivirus detected something like whitehous.org. 2 of my sites had wordpress and I found that even my database was infected. I am not sure if this was a result of some of my ads on craigslist that took people to my websites, where someone was able to insert malicious code via a wordpress comments, or if they simply guessed my web hosts ftp account credentials and infected me that way. I ended up having to delete all my website files and reload them from a backup. I also needed to restore my wordpress databases. I also found out later how to clean the compromized files, but not the database. Now if your websites get hacked, please contact me and I will help you to clean them. I’ll also help you report to Google so they can remove the blocks. I am also offering a service where I can backup your website and monitor it, the same way I am now doing with my own sites. I am also very good at removing fake antivirus program and malware from any PC’s

  • http://www.footyfree.com live soccer streaming

    well same things happened for me now, and google has removed me from search engine and i have cleaned the malware , did it happen for any one that google removing their rankings .nnhow long will it take to come back?

MORE: Financial Models for Entrepreneurs
Copyright 1976-2012 Taylor Davidson