It’s amazing how quickly things can happen.

We go to bed Thursday night, all is normal with the world.

Friday morning, I wake up to have a nice “heads up” email from Lars saying our site was trying to infect anyone that came a-calling with a Trojan.

Being at work, there wasn’t much more I could do but email Cassie and ask her to take the site down, and see if there was anything she could figure out.

Over the course of the day, Cassie found that every file, in every folder and sub-folder of the entire site had been subverted with added code redirecting people elsewhere and trying to install Trojans. It also looked like, while nobody had any idea where it was coming from as a source of initial infection, it was being done to a lot of websites, both WordPress and other php based sites.

Our blogs’ last backup was done almost exactly a month ago. We can’t automate it, GoDaddy doesn’t allow for that. In this case, Cassie did it before we installed the WPTouch addon for mobile users. Otherwise, well, the last backup would’ve been a year or so ago.

After a full day working on it, it looked like we had a choice to make.

  • Delete the entire thing and start over from scratch.
  • Update/overwrite what we could, and manually edit everything else and pray we caught it all.
  • Call it a day, accept that the blog was dead, and move on with our lives.

You’ll understand that running a website that infects people that visit is simply unacceptable.

Cassie told me that she was looking at 8, 10 hours of working on it to try and recover, with no surety that it would be 100% safe when she was done.

I told her to walk away. We’re done. I’m not going to sit here and ask Cassie to spend 8 to 10 hours of her life trying to recover from something some asshole did in 15 seconds, when we don’t know how they cracked it, and don’t know if the same prick will just do it again 2 hours after it goes back up.

Having presented such an understandable, reasonable argument, of course what she did was ignore me entirely and spend all day yesterday rebuilding the site from scratch.

She left the database of blog posts and comments alone, deleted all addon and plugin folders, deleted the theme, overwrote the WordPress install with a new one, and built the backend from scratch. Then she restored the database.

All day project.

At the end of the day, it looked like it was good. No more redirects, no more viruscan Trojan warnings from our virus programs.

So, I thanked my darling wife for being incredible, and we called it a day.

This morning, I wake up with an email from Lars timed at 1:30 AM saying the blog was still compromised. No word on what, exactly, was still wrong. Certainly wasn’t doing anything to US.

If we can’t find anything wrong, how the hell are we supposed to fix it? If there even is still something there?

Cassie followed some other online resources this morning that provided instructions and a script that was supposed to automatically clear this particular infestation 100% from your website. This would go in and find it everywhere, so if you happened to miss it in a file or folder somewhere, this would finally nail it’s coffin.

It was apparently developed overnight, and Cassie ran it.

Has it helped? Well, we don’t know, since we weren’t getting the indications of Trojans or redirecting. Couldn’t hurt, basically.

We still don’t know, because we can’t find any sign or trace of anything indicating we’re still hacked on the website. As far as we can tell, it’s all clear.

But “as far as I can tell we’re good” doesn’t feel good enough to me.

I recommend you either subscribe to the feed for this website, or stop visiting the website altogether. I’d really rather not risk you getting infected.

If, after reading this post (and not before), you still get a clear and absolute indication that this website is trying to redirect you or infect you with a Trojan, please let me know at tigerlordgm AT yahoo DOT com, so we can look into it. If we really are still infected after everything Cassie has done, well, put a fork in, that’s pretty much it here.

In the meanwhile, the only reason the website is up is because Cassie is stubborn as all hell, and refused to let some script kiddy asshole win.

Maybe once it’s fixed she’ll say, “Okay, now you can kill it”, but certainly not before.

What’s going through my mind right now… this is supposed to be a pretty widespread hacking attack, affecting many WordPress sites. I don’t know if those are all self-hosted sites, or if sites hosted by WordPress itself are also affected.

What I wonder is, how many folks that write blogs woke up, looked at their trashed sites, and having no clue about this crap, faced only two choices; quit or start over from page zero.

And of those, how many chose to quit? How many people were brought down and silenced today?

How many voices went quiet because one asshole with a virus gun made the choice for everyone else?

23 Responses to “The Day the Blog Stood Still”
  1. Keristrazja says:

    Arrowrest disappeared about 2 weeks ago, I wonder if it was the same thing.

    http://arrowrest.wordpress.com/

    Kinda sad he’s not there anymore. I liked his blog and style of writing.

  2. Shukaro says:

    Not getting any virus warnings or anything of that sort on my end, so, at least for me, your blog is clean.

  3. lissanna says:

    avast isn’t flagging the site for me anymore.

  4. lissanna says:

    Also, for other people with infections – the bulk of infections happened for people who weren’t self-hosted, and so the hosting sites have instructions on how to take care of it without losing all your data (if possible), and you can talk to your hosting company about how to fix it, rather than nuking the whole thing.

  5. Rowtan says:

    Hmmm … didn’t even know a blog could get infected and pass infections along like that – have you double checked with Lars to make sure that he/she did actually send you that message, and if so, how they discovered it?

  6. Rowtan says:

    PS – just found this … don’t know if it is of any use, because tbh most of it was over my head!

    http://www.webloglines.com/blog/stuff/article/top_wordpress_security_plugins_for_hackerproof_blog_.php

  7. Sarabian says:

    I didn’t get any kind of redirects or anything like that. I’m not worried about viruses because I use a Mac, so I’ll reload and surf around and see if anything pops up. If so, I’ll post a reply saying which page it was.

    Good luck defeating the asshole! May you find him and show him the wrath of a bear (a real one, preferably).

  8. Rayvynn says:

    Here here to your amazing Cassie for doing all that she did. No redirects or trojan attempts here, though I shall do a quick scan-a-roo after posting this. Good luck getting everything sorted out with the blog, Bear. I know it seems like it’s been a lot of hassle lately, but there are those of us that appreciate every single post and idea you have. :)

    It’s kind of scary someone with a “virus gun” can do that. :(

  9. xmolder says:

    I can’t say that I’ve ever been in a position where I’ve cared enough about a profile or a blog enough to continue with it after being “hacked” (for lack of a better term) but I have to say I admire Cassie’s conviction. I probably would have been with you, Bear, but to be honest, I’m glad she’s so headstrong. I’d miss this blog if it went away.

    So far, I’ve only seen the one attempt at tricking me into the virus (after your restore, before Cassie ran the script) and none since. I’ll do my best to keep up on it, though, as though you won’t be flooded with hundreds of other readers letting you know what’s up.

    That said, I would be sad to see you go. I’ve enjoyed reading your writing for a while now, both WoW-related and otherwise. Hell, you’re the reason I’m playing Allods. ;)

    One last, totally unrelated note: I work in a casino which shall remain nameless, as a change person. We had one machine, called “Grizzly,” that did fairly well, but didn’t pull in as much money as the others. Every time I walked past it, I saw a big, brown grizzly wearing a fishing hat, and for some reason, I couldn’t help but think “I wonder what BBB’s latest post is.” They recently exchanged it for another game, and it made me very sad to see it go. Curse you, internet, for making me feel connected to other living beings!

  10. kaozz says:

    So sorry to hear about that happening to you guys! I never saw that redirect or anything similar but I may not have popped in here when it was going on. I do hope you get everything squared away and fixed. Don’t let it get you guys down :)

  11. Bernie says:

    Is why like all BBB readers I haz virus scanner. Thanks to Cassie for all the hard work…..and I guess to you too. Keep writing.

  12. Dechion says:

    After reading your post (in my feedreader since I am way too lazy to manually visit close to 200 blogs a day) I decited to try and get myself infected.

    Loaded up the latest patch for AVG and came a calling, hitting pages, clicking links, that sort of thing.

    Nothing redirected me anywhere, nothing bad looked like it tried to install anywhere, basicly it looks clean as far as I can tell.

    Thanks much to Cassie for her efforts in rebuilding everything.

  13. Lars says:

    ‘Ello, Lars here :-) Nope, site seems clean now. Scary thing is that the experts don’t quite know how this widespread WordPress / other php-based sites hack has come to be. However, I’ve been doing a little surfing on the topic, and here’s some of the (in my judgment) better resources to check out:

    WPSecurityLock on the hack in question
    codex.wordpress.org on what to do if your site has been hacked

    Love seeing the BBB blog up and kicking again!

    Best regards
    Lars (who’s considering tanking again with his lovely druid though haven’t done so since halfway through Kara…)

  14. neil says:

    Not getting a thing here and it would be a real loss to the community if this blog went down

  15. Rob Coulstock says:

    I had a trojan warning yesterday and today nothing. So it all looks sweet :) Good job Cassie!

  16. Shane says:

    I was redirected yesterday. I was sent to some site that was trying to act like a virus scanning page for my computer with the helpful popup box asking whether I wanted to remove the virus and do a proper scan etc… Ive dealt with that type of thing before and sadly the first time I did click OK. No this time, closed down carefully and then ran a trojan program when I went out yesterday… no infections.

    ps. DOnt close down your gear links are the only reasons I managed to gear up after my absence from the game for a year.

  17. Sharvhan says:

    I too was redirected, but I clicked nothing and simply did a manual shutdown. Rebooted, ran virus scan and the old laptop is clean. Have had nothing out of the ordinary today, so I think you’re safe. Good job with finding that fix, Cassie and thanks BBB for not shutting down. :) You’re one of the few blogs I read these days and it always brings a smile to my face no matter what you choose to write about.

  18. Phelps says:

    If you are running WordPress, you might look at the WordPress Database Backup plugin. I run it, and it sends me a database backup (not the whole site, but what I would need to get up and running again relatively painlessly) every Sunday afternoon.

  19. Kattrinsaa says:

    i got the attempted redirect yesterday, but chrome blocked it and sent me back to your page.

    miss having the comluv tool.
    I wrote an innocuous bit of story on my site for Single Abstract Noun that I meant to plug..

  20. tao says:

    Change your FTP password asap. I clean up this sort of stuff nightly for work. The most common cause of these “every file in the website had code appended to it to load a trojan from a remote site” is a compromised FTP password. Once you change the FTP password, do not let anyone have it and use it for FTP until they have done a full virus check of their local machines. The way this compromise works is they compromise a work station. Because FTP is in clear text, they they data mine the user and pass when the user on the compromised work station logs into the server. Then they use that information to log in and modify the files.

    That isn’t to say 100% that this was what happened here. It is just the #1 most common cause of it that I’ve seen over the last few months….so I wanted to mention it. You’d be best off using sftp/scp if you have ssh access to the server as that will encrypt ftp traffic and eliminate the problem as well.

  21. TJGypsy2 says:

    I was kind of wondering. I got hit by the redirect, wondered what the hell was going on, didn’t click anything and shut down my machine. I came back to the site right after and had no further trouble. Glad you got it sorted out, and really glad you didn’t shut it down. I’d miss the 3b sense of humor.

    to Cassie for all the hard work!

  22. Paona says:

    All clear on this front. Fortunately, it was an attack site that I am oh-so-familiar with, having had to deal with the resultant installer and malware that it deploys on a number of computers that I have serviced in the past, so I did not pass go, did not collect $200, did not hit “OK”, went directly to CTRL + ALT + DELETE and terminated Firefox.exe, then updated Malwarebytes and did a full scan.

  23. Rauxis says:

    have a look at

    http://blog.sucuri.net/2010/05/new-attack-today-against-wordpress.html

    hope it helps
    Rauxis, chosen of CAT

  24.  

World of Warcraft™ and Blizzard Entertainment® are all trademarks or registered trademarks of Blizzard Entertainment in the United States and/or other countries. These terms and all related materials, logos, and images are copyright © Blizzard Entertainment. This site is in no way associated with Blizzard Entertainment®