Productivity Sync Just another WordPress weblog

January 31, 2015

Cleaning my WP from spam and attempts to harden my web service from hacking

Filed under: Uncategorized — admin @ 8:09 am

This week I noticed I had a redirect.js malware injected into my this word press application hosted on my godaddy hosting.  (what you are reading now)

I used free / demo-were sucuri labs scanner plugin “Sucuri Security” to identify the signature:
“””write(‘<‘+x[0]+’ ‘+x[4]+’>.’+x[2]+'{‘+x[1]+’}’);}xViewState()”””

Its a very nice plug in.  They make there money by offering cleaning services http://sucuri.net/website-antivirus/signup .  Not bad but, I chose to try to go it alone.

I ssh-ed into my web site and grep -ir xViewState and found a few (2) files with this string and then edited them with VIM. The first thing I noticed was that the lines around this xViewState string had ^M (where DOS based strings created on a windows box) As those where the only ones with the ^M’s I nuked those lines I’m pretty sure those were the trouble makers.

Then I re-ran the scan and my site was clean.  And my blog still works.

Next I went about hardening my site with updating passwords created using uuidgen. (I put the passwords in a text file that is gpg encrypted and uploaded to the cloud and a few other locations)
I updated my godaddy passwords, removed all the ftp accesses I could and change the ftp access I couldn’t delete to have a uuidgen’ed passwd too.

I removed extra WP logins and now I’m down to just one admin login with a nasty uuidgen based passwd.

Next I followed a few blogs advising the nuking of unused logins and themes. As although WP claims there are no known vulnerabilities if you upgrade with a attack already installed that attack vector compromises your installation anyway. 🙁

Some useful links that helped me (pretty much all from a google search on “wordpress redirect trojan” ):
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

http://ottopress.com/2009/hacked-wordpress-backdoors/

https://wordpress.org/support/topic/cant-get-rid-of-a-redirecting-trojan

https://wordpress.org/support/topic/exploits-and-godaddy#post-1065779

https://wordpress.org/plugins/search.php?q=malware+scanner

https://wordpress.org/support/topic/website-hacked-trojan-redirect

https://www.google.com/?gws_rd=ssl#q=wordpress%20redirect%20trojan

http://www.serverschool.com/shared-hosting/how-to-remove-trojan-js-redirector-cq-from-your-wordpress-site/

http://premium.wpmudev.org/blog/wordpress-security-tackling-backdoors-pharma-hacks-and-redirects/

http://premium.wpmudev.org/blog/wordpress-security-tackling-backdoors-pharma-hacks-and-redirects/

 

Lets see how long before I get hacked again 🙁

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress