Some asshole hacked my server last weekend. Perhaps, earlier than that although I didn’t discover it until Sunday morning. I was told I wasn’t the only one and it’s probably not a WordPress vulnerability because even web sites with static pages got hit. If you’re a web site owner, here’s what to look for:
1. ALL HTML files. A script is injected after the closing html tag creating a separate body. Even the postinfo.html file in a newly-created account has it. Check the readme files that come with the WordPress installation too. And dig into the inner folders.
2. If you’re a WordPress user, re-upload WordPress, overwriting the current installation. Then, check the footer files in the themes folders. The footer file of the active theme is the likely culprit. I host six or seven domains in my server, mine and personal projects including Pinoy Moms Network, and all footer files in the active themes in all domains got hit. And although it appears that inactive themes are clean, it might be a good idea to check them just the same.
3. If you have a Google search service and you’re using a customized HTML document for your search page, check the footer of that page too. Mine was infected.
If you’re using a cPanel file manager, you won’t be able to delete the malicious script from there. You will have to recreate the files on your computer, minus the malicious script, then re-upload and overwrite the infected files.
I’m still monitoring all accounts on my server to see if the problem recurs.
P.S. If you’re on a Linux server, setting the permission of files to 6-4-4 won’t solve the issue because even files with 6-4-4 permission settings got hit.
So that’s it. I keep getting this nasty message every time I visit your blog and it keeps on trying to download and upgrade my MSOffice. Mabuti na lang matindi ang firewall namin. It contained this virus (I forgot the name) in pdf format.
It’s not only you, I also experienced this in Jon Limjap’s blog.
Imagine waking up on Sunday morning the find the blogs gone. I thought I fixed it by lunchtime, didn’t realize that the problem was more serious until people started texting and sending emails.
Experienced the same last week. A blogger pal alerted me through email that my site was inaccessible. I’m glad I got assistance from my host provider. I didn’t know how to fix it.
I wonder who the hacker’s boss is and what anti-malware software they intended to sell. I don’t believe anymore that hack attacks are just pranks. Most appear to be sponsored.
Ah….same with BlogusVox, i had the same experience. Good thing it was immediately quarantined and deleted. My antivirus identified it as a Bloodhound.Exploit.196. The name was getfile[1].pdf.
In the past few days, there’s an embedded window on this blog requesting me to participate in a 5-minute survey. though I believe it’s from BlogHer, I didn’t participate. I’m not sure if it has anything to do with the hacker.
Fortunately my footer files are okay.
Yeah I noticed that when I got on pinoycook, I was wondering what it was and was going to drop you an email…
Finally, it’s over. It recurred Friday morning but it’s finally over.
Peterb, your comment was what alerted me Friday morning. In Mac, it wants to download getfile.html. Syempre, no agad ako.
Kotsengkuba, that’s a legit survey hehehe but only US residents can participate.
Chris, the problem in Pinoycook was worse than here. The dropdown category menu got really screwed. Inis!!
No wonder I was not able to access your page since Thursday. Everytime I click your link from my faves my firewall prompts that there is a threat. I hope it’s okey now. Your internet providers over there should have a built in protection for their subscribers.
JGo, internet provider has nothing to do with it. It was an attack on the web server. Sad thing is that no matter how careful you are, there are still things that you can’t foresee.
hmm, a hacker tried to get me thru YM, too. and then a few days after that, my spyware and antivir detected a trojan… akala ko it was only my PC who’s going crazy coz i cant get into PMN yun pala na hack ka rin. it leaves a not so nice feeling, these hacking encounters… it inconveniences people and stressful din. kaya talagang we shld be extra careful. i just hope that they would start creating spywares and antivir that would destroy the people who created these hacking and phising programs!
i’m still seing getfile.php prompts on the homepage twice today.
shit. ok lemme check.