It’s amazing how quickly things can happen.
We go to bed Thursday night, all is normal with the world.
Friday morning, I wake up to have a nice “heads up” email from Lars saying our site was trying to infect anyone that came a-calling with a Trojan.
Being at work, there wasn’t much more I could do but email Cassie and ask her to take the site down, and see if there was anything she could figure out.
Over the course of the day, Cassie found that every file, in every folder and sub-folder of the entire site had been subverted with added code redirecting people elsewhere and trying to install Trojans. It also looked like, while nobody had any idea where it was coming from as a source of initial infection, it was being done to a lot of websites, both WordPress and other php based sites.
Our blogs’ last backup was done almost exactly a month ago. We can’t automate it, GoDaddy doesn’t allow for that. In this case, Cassie did it before we installed the WPTouch addon for mobile users. Otherwise, well, the last backup would’ve been a year or so ago.
After a full day working on it, it looked like we had a choice to make.
- Delete the entire thing and start over from scratch.
- Update/overwrite what we could, and manually edit everything else and pray we caught it all.
- Call it a day, accept that the blog was dead, and move on with our lives.
You’ll understand that running a website that infects people that visit is simply unacceptable.
Cassie told me that she was looking at 8, 10 hours of working on it to try and recover, with no surety that it would be 100% safe when she was done.
I told her to walk away. We’re done. I’m not going to sit here and ask Cassie to spend 8 to 10 hours of her life trying to recover from something some asshole did in 15 seconds, when we don’t know how they cracked it, and don’t know if the same prick will just do it again 2 hours after it goes back up.
Having presented such an understandable, reasonable argument, of course what she did was ignore me entirely and spend all day yesterday rebuilding the site from scratch.
She left the database of blog posts and comments alone, deleted all addon and plugin folders, deleted the theme, overwrote the WordPress install with a new one, and built the backend from scratch. Then she restored the database.
All day project.
At the end of the day, it looked like it was good. No more redirects, no more viruscan Trojan warnings from our virus programs.
So, I thanked my darling wife for being incredible, and we called it a day.
This morning, I wake up with an email from Lars timed at 1:30 AM saying the blog was still compromised. No word on what, exactly, was still wrong. Certainly wasn’t doing anything to US.
If we can’t find anything wrong, how the hell are we supposed to fix it? If there even is still something there?
Cassie followed some other online resources this morning that provided instructions and a script that was supposed to automatically clear this particular infestation 100% from your website. This would go in and find it everywhere, so if you happened to miss it in a file or folder somewhere, this would finally nail it’s coffin.
Has it helped? Well, we don’t know, since we weren’t getting the indications of Trojans or redirecting. Couldn’t hurt, basically.
We still don’t know, because we can’t find any sign or trace of anything indicating we’re still hacked on the website. As far as we can tell, it’s all clear.
But “as far as I can tell we’re good” doesn’t feel good enough to me.
I recommend you either subscribe to the feed for this website, or stop visiting the website altogether. I’d really rather not risk you getting infected.
If, after reading this post (and not before), you still get a clear and absolute indication that this website is trying to redirect you or infect you with a Trojan, please let me know at tigerlordgm AT yahoo DOT com, so we can look into it. If we really are still infected after everything Cassie has done, well, put a fork in, that’s pretty much it here.
In the meanwhile, the only reason the website is up is because Cassie is stubborn as all hell, and refused to let some script kiddy asshole win.
Maybe once it’s fixed she’ll say, “Okay, now you can kill it”, but certainly not before.
What’s going through my mind right now… this is supposed to be a pretty widespread hacking attack, affecting many WordPress sites. I don’t know if those are all self-hosted sites, or if sites hosted by WordPress itself are also affected.
What I wonder is, how many folks that write blogs woke up, looked at their trashed sites, and having no clue about this crap, faced only two choices; quit or start over from page zero.
And of those, how many chose to quit? How many people were brought down and silenced today?
How many voices went quiet because one asshole with a virus gun made the choice for everyone else?