Announcements

How I recovered from a Malware attack on my WordPress site

Not this site, luckily. This one. Fit as a fiddle now, but here’s how I fixed my WordPress blog to recover from a malware attack.

The other day I got an odd email from Google Webmaster Tools telling me NOLAlicious was infected with malware. Given the sample of infected pages the email reported, I knew the old, neglected WordPress install had been compromised. Since the current site isn’t run from the neglected WordPress, it was an easy fix: delete the WordPress. Done. Submitted a request through Google Webmaster Tools to review the site. Hour or so later, all fixed.

Later that night at 1:30 AM I got a second email reported a malware infection, but this time for my blog on Unstructured Ventures.

Email from Google reporting malware

Hmm. Deleting isn’t an option here. At one time, that blog was my main voice for analysis and commentary about business, entrepreneurship and venture capital, and was ranked in the top 30 VC blogs (and still in the top 50, according to one site). Although I don’t blog on this site anymore, it’s still garners a significant amount of traffic.

Thus, this wasn’t going to do:

Reported Attack Site

So I dug into Google on two fronts: exploring Google Webmaster Tools, and searching for terms to figure out how to fix my WordPress blog from a malware attack.

Google Dashboard

Google Webmaster Tools

Google Webmaster Tools had a range of articles, links and advice about assessing the damage, cleaning a website, and resubmitting it to Google once it’s cleaned.

I ended up depending on two articles to understand and find the sources of malware on my website: Mediatemple’s Recovering from a site compromise and StopBadware’s Tips for Cleaning and Securing your site proved tremendously valuable for me.

Google’s Webmaster Tools also helped me understand the source of the infection and test my revisions. The Malware diagnostics page (under “Diagnostics” on the Google Webmaster Tools Dashboard) allows one to understand which pages are infected; the Fetch as Googlebot tool under “Labs” on the same dashboard) is a great way to “see the page that Google sees” for an infested site. Unable to safely view the page in my browser, I was able to use the Fetch as Googlebot option to look at infected pages and find the offending code.

Safe Browsing

I originally searched for a hidden iframe in my WordPress PHP code, but didn’t find anything. My second route, searching for unescape() and eval() javascript functions, quickly led me to the javascript function creating a huge block of obfuscated code right after and before the body and /body tags, respectively.

FTP’ed in, fixed the code in the WordPress PHP scripts, re-uploaded and tested the site with the Fetch as Googlebot tool: clean. Submitted a request for Google to review the site, and a couple hours later, the malware attack notices disappeared.

Clean. Done. Right? We’ll see.

Addendum

Well, that lasted a week.

Another “Malware attack” email from Google Webmaster tools pointed out that I only cleaned up my site half-way.

So I started digging again to find out what was wrong.

In response to a question about security, Mediatemple actually sent me a useful email that detailed out some helpful links, captured below:

To begin moving forward, we strongly recommend that you utilize this article to work on recovering from a site compromise:
http://mdtm.pl/9wZwhZ

If you happen to be running WordPress, and you have noticed the appearance of an unexpected WordPress user in your database, for example “johnnyA”, “johnnyB”, or “amin”, you will want to remove those users as soon as possible. Also, here is a third-party article that you may find helpful in removing any injected code:
http://mdtm.pl/a9B5YF

If you are experiencing a “redirect hack”, in which your domain is unexpectedly redirected to an external site, please go here:
http://mdtm.pl/97iaeu

Here are instructions on how to “harden” a WordPress blog:
http://mdtm.pl/92GwYG

Additional WordPress hardening suggestions:
http://mdtm.pl/9py2Mj

For a helpful list of security best-practice articles and additional security information related to (mt), visit our newly created security resource in the (mt) wiki:
http://mediatemple.net/security

To get a wide view of more of our most recent security-related efforts, please take a look at this comprehensive blog post regarding security at (mt):
http://mdtm.pl/9gx2GB

Lastly, if you do not feel comfortable resolving compromise-related issues yourself, Sucuri.net has extended a substantial discount on their scan/cleanup services for (mt) customers:
http://sucuri.net/mediatemple

And once I started digging in, I realized I had fallen prey to the JohnnyA attack.

Using the info about JohnnyA WordPress malware on MediaTemple, I ran a search for “eval(” and found three infected files tucked away in various parts of my WordPress installation.

Re-cleaned the HTML, cleaned the PHP, re-uploaded, and everything worked again.

I then looked further into hardening WordPress, listened to Brad Williams on WordPressTV, from WordCamp Boston 2010, and took a serious look at Sucuri, making more changes and modifications to lock some things down further.

Done. For now.

When did we all have to learn to be webmasters? Sheesh.

Posted August 11th, 2010 in Announcements, Perspective.

#RocktheSpill with the Gulf Coast Benefit Concert Series

Shortly after the Gulf oil spill happened, I asked what will we do?, a call for each one of us to think about how we’ll give back. Here’s one way for everyone one of you to give back: announcing a series of benefit concerts across the USA on July 1st to benefit the people and wildlife affected by the Gulf Oil Spill, called Gulf Coast Benefit Presents Coast to Coast. Attend, donate, get involved.

Back in May after the Gulf Oil Spill first happened, I had the sinking suspicion that I was going to be obsessed with the photos, videos and stories from the Deepwater Horizon oil spill disaster. Little did I know that it was going to be hard *not* to see the stories every single day. It feels like a different world today, after the impact has escalated far beyond original imaginations.

I know its made many of us feel overwhelmed. We see images of the suffering wildlife and environment everyday. We hear the stories of the people economically and emotionally destroyed by the loss of their livelihoods, culture, raison d’etre. We see the political wrangling, the outrage, the protests, and the press releases and news reports, and it all feels like too much. Many of us feel the outrage but don’t know what to do with it.

But there are many ways to get involved and help the Gulf Coast, many organizations, companies, causes and people working to help clean up and recover.

One of the newest ways to get involved and give back (and have fun!) are a announcing a series of benefit concerts across the USA on July 1st to benefit the people and wildlife affected by the Gulf Oil Spill, called Gulf Coast Benefit Presents Coast to Coast. 100% of the proceeds and donations will be distributed by the Gulf Restoration Network to help the fishermen and families impacted by the oil spill and the help in wildlife and wetlands restoration. It will be a long, hard battle, but we need to start today.

Here’s what you can do. Attend a concert. Donate online. And help spread the word.

There are more than 35 concerts being held in 18 cities across the US. If you can’t attend a concert, you can donate online.

And, of course, you can help spread the word. Blog about it (visit the website and see the online press release for more details). Tweet about it. Follow @gulfbenefit on Twitter and Facebook. Change your Twitter background and Twitter avatar to show your support.

Every bit helps.

Announcements

Subscribe to the blog

Recent Posts