Return from the 3rd level of malware hell

wait... what?There are days, that the interwebs suck dynamically placed, interactive Donkey Balls. Yesterday, was one of those days.

Come to find out at some point on Friday, Flogging English was, for lack of a better word, hacked. Two JavaScript files had some malicious code embedded in them that tried to do something well…. malicious. What? Dunno man, I just deleted that shit.

Google alerted me late in the day on Friday, meaning I didn’t see it until I checked my email a mere 30 minuted before my scheduled 50 mile ride. I fumbled about a bit, did several full searches of my blog database and found nothing. Then I started scanning the code of the pages that Google was reporting as infected. Still nothing. I made a few changes, thinking maybe it was in error – and requested a review, then went for my ride.

Well, it wasn’t an error, and Google showed me a couple more pages, one of which led me directly to my swfobject files that had been injected with the poopy code. So off I went to download the latest version of swfobject, and to rewrite all of my static Flash pages to use the new code file. Whew. With that done, I went back in a started looking at my admin setting for the blog. I had been allowing everyone who wanted to register to do so, and come to find out, I’m guessing through a hole in WordPress, someone was able to make themselves an admin. Well, not for long, and now I’ve locked it down, and only a handful of users remain. If you were one of the folks I deleted, my apologies, please let me know and I would be more than happy to sign you up again, although you do not need to be a registered user to sign up for updates if that’s all you really want.

The final mistake I made was allowing the blog directory to be written to. This is a total n00b mistake, and I’m not sure when I did this or why – so in some respects I deserve what I got, and I’m lucky it was pretty simple to fix.

All in all, I’m pretty lucky it was as easy as it was to get fixed, authenticated by Google, and the malicious code warning removed. This system seems to work pretty well, and pretty quickly since all of this went down on Friday, and not weeks before. On the plus side, now I have new clean files, a more organized directory structure, updated code files for all of my javascript frameworks, and a better understanding of how to fix these things when they happen.

%d bloggers like this: