Skip to content

Hacked and Fixed, AGAIN

"I Miss You, Computer" by Neofob

"I Miss You, Computer" by Neofob

A couple days ago, I got notice from Google (and many fine friends who pointed out my blacklisted status), that my blogs had been hacked.  As has happened before, the software infects all of my blogs at once, so I had a lot of cleaning to do.

Thanks to John for his helpful post.  This is not the first time my blog has been hacked, but this is by far the most thorough I’ve been in trying to stamp it out.  Here are the steps I took yesterday, in no particular order:

  • All related passwords changed (ftp, user, database)
  • WordPress software freshly installed
  • Plugins scoured for offending code
  • All dormant or unused websites shut down, removed, and databases backed up then deleted.  I lamented taking down some of my student work, but since I don’t really look at it afterward, it’s causing me negative time.  GONE.
  • Using the shell, I did plenty of grepping and finding to locate ‘open to the world’ directories and a few errant infected files.  While the latter were bad, I suspect it’s the former that allowed my sites to get infected in the first place.  I also discovered several seemingly viable files (with names like ‘https.php’ that were evil, and a couple directories that had been chmodded so I was not allowed to read or write in them.  Inside? evil files.

The only opening I see is if my database itself has offending code in it.  I could not find any pages that discussed either how to diagnose or to fix corrupt databases themselves, so I’ve backed up the newly clean sites entirely, and will do a complete reinstall if I get infected again — and will have to figure out how to figure out about corrupted mysql files.

Ugh.  Oh well, I’ve requested a review from Google, so hopefully you’ll find my site un-blacklisted sometime soon.  Enjoy.

{ 4 } Comments

  1. John Walter | 9 March 2012 at 10:48 am | Permalink

    I hope it works. Google had me listed as a problem, which was how I confirmed I knew for sure I’d been hacked, but doesn’t seem to have blacklisted me. After I cleaned up the site, I went to ask them to recheck me and I wasn’t getting a warning message. (I had a redirect with Safari but I wasn’t redirected when I double checked. Chrome, on the other hand, gave me the warning.)

  2. Digital Sextant | 9 March 2012 at 11:27 am | Permalink

    Well, I don’t mean “blacklisted,” but rather you’d get a scary warning when you tried to go to my site (as it seems you did). Google Webmaster tools currently lists all my sites as malware free. :D

  3. John | 10 March 2012 at 7:05 am | Permalink

    Awesome. :)

  4. cbd | 12 March 2012 at 6:59 pm | Permalink

    not. fun.

Post a Comment

Your email is never published nor shared. Required fields are marked *