Warning: Something’s Not Right Here!
Greetings dear readers, I was anticipating bringing you a lovely write-up of my recently purchased Amstrad 6128 Plus vintage computer tonight, instead, you’re getting an installment of “Oh my god I’ve been hacked goddammit!” – aren’t you the lucky ones eh? Indeed as I strolled confidentially to my WordPress login page earlier this evening, I was (not so) delighted to find that my site had been compromised by the catchily-named #c3284# malware virus, promoting the sudden exclamation of “Oh crap!” (well something like that anyway).
#c3284# is a delightful little beast, which upon finding its way onto your WordPress site, injects itself into one of the PHP files (in my case header.PHP) and from there will open your htaccess file (a directory level configuration file present on a Linux web server) when it’s executed and rewrite it so that your site’s URL directs your precious visitors to a dodgy website which is almost certainly selling Viagra or some form of body augmentation.
Since you almost certainly have no intention of selling Viagra to your users (face it, it’s already a crowded marketplace), this needs to be sorted and quickly. The first indication you’ll get that an attack has taken place will likely be a prompt from Google safe browsing stating that your site contains suspected malware and has been blacklisted. In fact you’ll get something that looks very much like the picture above. This is your prompt to get off your backside and log into your Google Webmaster Tools account. If you don’t have a Webmaster account already, I strongly recommend you sign up right now; it’s an invaluable tool for checking the general health of your site, along with providing a whole host of tools for analysing your website in detail, including traffic, page loading issues and so on.
If you do have a Google Webmaster account, you can quickly browse to the health section for your site, where if a problem as been detected (which it will have if Google has taken the trouble to blacklist your site) it will actually tell you what malicious code it has detected. This will look something like this:
Now the site is clean, how can an attack like this be prevented in the future? Well, usually as a matter of course, excluding the ‘Content’ folder, I set access to all of the files on my WordPress sites to read-only (i.e. set permissions of the files and thus those of the web-server account to read only). For pretty much all WordPress day-to-day tasks such as writing posts this doesn’t matter since WordPress writes most of its information to the database. Obviously read-only will prevent you from being able to edit the structure of site itself, i.e. update plugins or install new themes. For that you will have to re-enable write access for a short time. In my case I’d stupidly forgotten to re-enable read-only support after I’d made some theme changes so the virus had a potential way in.
Following an attack, it’s always a good idea to give your host a quick call to report the issue and get them to run a scan on their server. If you’re on a shared site, there is every chance that another site on that server is infected and in that case it may well be possible for the malware virus to gain access to an account with sufficient privileges and write to your files using an account that has write privileges. While your at it, change your FTP password. Finally inform Google (via the Webmaster Tools) that your site is now clean. This will prompt them to automatically run another scan and if indeed if they confirm this is the case, it will be removed from the blacklist.
So there you go, sadly no write-up on the Amstrad Plus, but alas all is not lost, you now have the benefit of my several hours delving into the dark recesses of the world of hacking, which has hopefully revealed some of the tricks the hackers use and will save your some time should you ever come up against this nasty little bugger, or maybe its brother, cousin or mother, at some time in the future.
Thank you and goodnight!