Dear blog owner and visitors,

This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 390 malicious pages. Your blogged served up malware to 0 visitors.

I tried my best to clean up the infection, but I would do the following:

  • Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
  • Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
  • Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
  • Verify all users are valid (in case the attackers left a backup account, to get back in)
  • Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
  • Run antivirus scans on your server
  • Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
  • Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
  • Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
    and Wordfence Security, all do some level of detection, but not 100% guaranteed
  • Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
  • Check subdomains, to see if they were infected as well
  • Check file permissions

Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.

Sincerly,

The Internet Janitor

Below are some links to research/further explaination on Gootloader:

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://www.richinfante.com/2020/04/12/reverse-engineering-dolly-wordpress-malware

https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html

This message

 

Quite a bit has happened in the recently mentioned interlude.  I doubt there are manyNoraapr07 people reading this who don’t already know most of this either from meatspace communications or other sources, but here’s a quick overview (in order from big and old news through to the smaller and more recent):

  • The startup I’ve called my day job (and often my night and weekend job, too) since co-founding it over a decade ago got acquired around the start of the year.  I now work for the acquiring company, in what I am still optimistic will be a good arrangement.
  • Our family has grown by 33% — the new arrival (Nora) is adorable, and rapidly approaching 3 months of age
  • Ben (kid #1) is awesome.  He’s still a toddler, so sometimes that awesomeness is hidden under, well, toddler-ness.   Seeing him turn into a big person and seeing Nora start (in Ben’s words: "she’s like a little person!") gives me this motivation and perspective that makes pretty much anything else OK.
  • After years of using the now-defunct otto, and about a year of having no viable whole-house digital music solution, I’ve switched to ampache, and so far am quite pleased.
  • I’m consolidating home computing resources.  The main file-server here now has over 1TB of useable raid-5, and everything that can be a virtual machine is.
  • It’s springtime, and my bonsai are gradually coming out of dormancy.  We had a strange winter here, weather wise, with some very warm followed by insanely cold.  I’m a bit concerned that there may be some fallout, in terms of tree-death, though it’s still too soon to tell.  Particularly troubling right now is the maple forest I planted just last year — out of 8 trees (2 planting groups), 2 have swelling buds, 6 don’t.  On a bonsai note, I realized a few months ago that a server crash over the summer resulted in the loss of quite a few notes I’d written in the form of an internal (to the home network) bonsai blog.  Bummer.
  • I have, for reasons not interesting enough to go into, switched my primary desktop computing environment to a windows system for the first time since windows for workgroups in 1994.  This is much more a reflection of the realities of the microsoft-opoly in the business world than any sort of negative commentary on the mac.  All other things being neutral, I’d still prefer a mac desktop / linux backend world, though I think I really am OS agnostic at this point (I’m even trying to get an ancient laptop wirelessly net-booting FreeBSD for a dining-room kiosk).
  • I’m hoping to take the day off today, and am planning on un-wiring / re-wiring some trees, taking a bide ride with Ben, going to gym with the whole family, and starting what I hope will be a relaxing long weekend.

ttyl.

 

The New York Times has an impressive flash-based collection of information about the tsunami.

(via WorldChanging.)

 

This is something I’ve meant to start doing for years. I’m starting now.

© 2021 layer8 Suffusion theme by Sayontan Sinha