Mirror-posted from this article on my photoblog.

Yes, evenly lowly little blogs such as this one succumb to devious attacks at times. Unfortunately it appears that sometime in the past month or two we had an intrusion. It didn’t appear too overtly malicious (mostly re-directs), but it did insert some nasty code into every php file on the domain. Right now I am fairly certain that it has all been removed.

That said, I’ll be doing some maintenance over the next week and we may have some downtime. Lesson learned, implementing extra security is never a bad thing. If such a thing does ever happen to you, here are a few great guides on what to do (1, 2, 3, 4, 5, and the next step 6).

6 Mar 2012, 9:30AM EDIT: NEVERMIND!, things are definitely still infected. The site will go down shortly until I can resolve the issue. Until then please don’t trust or download any files that are served from this domain. Currently it appears that re-directs are the primary problem, but until I post that it is totally clean please proceed with caution if you notice anything out of the ordinary.

6 Mar 2012, 1 PM UPDATE: OK, made some progress I think through the help of an exceptionally helpful script. If this happens to you make sure to modify the script to match your rogue code EXACTLY. Also, as always backup before running. More updates soon.

6 Mar 2012, 3:30 PM UPDATE: OK, another round of ‘I think things are better.’ Relying a bit on Securi’s SiteCheck Scanner to ensure files are cleaned. The personal blog passes now, as does the wedding blog… still some foreign js hiding out here (although the majority is certainly cleaned).

9 Mar 2012 UPDATE: I decided to give it a couple of days to ensure nothing was left behind and re-spawned itself. As of two days ago I believe we are CLEAN. We pass the scanner listed above, and after reinstallation of WordPress, all plugins, and careful cleanup of the customized theme I can see no signs of the code in any of the php files that were infected. Whew. If this every happens to you, please feel free to send an email. The “Walker” script linked above was a life-saver — cheers to you sir.

Tagged with:
 

2 Responses to Hacked =\

  1. snipe says:

    Hi David – trying to raise you on twitter but I figured I’d try here, too. There is a rash of these going around right now, exact same infection. http://blog.sucuri.net/2012/02/malware-campaign-from-rr-nu.html

    I’m trying to get more information on the exact vector for you, since it looks like this is going around. (You’re the third person in a week that I’ve found that got hit by this.)

    Check your entire database (including information_schema, etc) for ‘%feel.rr.nu’.

  2. davegkugler says:

    Thank you, thank you, will do!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>