MTW Hacked
I said it would never happen. That’s what I get for saying “never.” Talk about cocky…or maybe just stupid. Recently, one of our contributors was checking posts on the front end of the site and was met with a security warning claiming our site was an attack site. I checked with our tech guy and he confirmed that MTW was hacked and malware had been installed on two different posts from several months ago.
Apparently, unbeknownst to me there was a security vulnerability in WordPress 2.3.2. This vulnerability would allow a registered user to edit any other user’s posts, inserting malicious code into the page the post is viewed on.
Luckily, Google had blocked the pages from view. However, we honestly don’t know how long the code may have been there before it was discovered and subsequently blocked by Google. Therefore, I am advising all MTW viewers and contributors to run a complete scan of their machine using AVG. This is a free antivirus program which will detect trojans and other malware the more popular programs won’t. As an example, I ran two independent scans using Norton. I also used Adaware and both programs declared my system was clean. I was skeptical, so under the advice of my tech guy and a fellow blogger whose site was also infected with this same malware, I installed and ran AVG. The program found two trojans on my system.
The “offending” posts have since been deleted and republished using a clean script. Meanwhile the site has been upgraded to a secure version of WordPress. We also had to delete any registered users we didn’t personally know or who looked suspicious.
UPDATE!!!
I posted in Google’s forum concerning the teleology of these trojans and got this reply from Google. This should lay to rest any fears that the perp was using these trojans as a means of identity theft etc. (Sigh of relief)
FROM GOOGLE: Yes, looks like it’s an ad. A good indication of this is what the
diagnostic page says:
3 domain(s) appear to be functioning as intermediaries for
distributing malware to visitors of this site, including adbrite .
com, iconadserver . com, yieldmanager . com.
That means that when Google’s automated scanner were analysing your
blog they followed paths through those servers on their way to the
unetworks . biz domain which served malware. So, it’s probably coming
though ads.
Hope that helps,
O.
Google Anti-Malware Team
Update:
My tech guy gave me a link to Exploit Prevention Labs, which will allow you to type in your url and scan your site for malware. I suggest anyone who is serious about keeping their site clean utilize this powerful tool.
Leave a Reply