This week I noticed I had a redirect.js malware injected into my this word press application hosted on my godaddy hosting. (what you are reading now)
I used free / demo-were sucuri labs scanner plugin “Sucuri Security” to identify the signature:
Its a very nice plug in. They make there money by offering cleaning services http://sucuri.net/website-antivirus/signup . Not bad but, I chose to try to go it alone.
I ssh-ed into my web site and grep -ir xViewState and found a few (2) files with this string and then edited them with VIM. The first thing I noticed was that the lines around this xViewState string had ^M (where DOS based strings created on a windows box) As those where the only ones with the ^M’s I nuked those lines I’m pretty sure those were the trouble makers.
Then I re-ran the scan and my site was clean. And my blog still works.
Next I went about hardening my site with updating passwords created using uuidgen. (I put the passwords in a text file that is gpg encrypted and uploaded to the cloud and a few other locations)
I updated my godaddy passwords, removed all the ftp accesses I could and change the ftp access I couldn’t delete to have a uuidgen’ed passwd too.
I removed extra WP logins and now I’m down to just one admin login with a nasty uuidgen based passwd.
Next I followed a few blogs advising the nuking of unused logins and themes. As although WP claims there are no known vulnerabilities if you upgrade with a attack already installed that attack vector compromises your installation anyway. 🙁
Some useful links that helped me (pretty much all from a google search on “wordpress redirect trojan” ):
Lets see how long before I get hacked again 🙁