I’m heartbroken. About 32 hours ago, this website was attacked by a malicious file innocuously named upgrade.php and hidden seven folders deep inside of wp-content. This was part of a wider attack on WordPress sites worldwide after a “cleverly hidden backdoor” was discovered in several popular plugins. The sole purpose of this file is to continually rewrite encrypted code into whatever index.php files it can get its hands on. This encrypted code was supposed to serve malicious content to the end user from a faraway server, usually named something like xjasljasd.co.cn. In layman’s terms, the point of the attack was to automatically load content from an anonymous server far away to the visitor’s computer. The good news is that it was a crude, relatively simple attack that was blocked by most up to date browsers. If the browser didn’t catch it, an antivirus should have caught it. If that didn’t catch it, you may very well have a problem, whether from this site or another site. The other potentially good news is that you are infected, you’ll know right now. It usually manifests itself in the system tray and warns the user that they are infected and need to go to a certain website to clean the system or purchase an anti-virus program to fix the problem. Of course, it’s the “antivirus” that actually is the problem. If you are infected or even if you’re not, I highly recommend the three following programs. All are free:
Malwarebytes – http://www.malwarebytes.org/
Super Anti-Spyware http://www.superantispyware.com/
Spybot – http://www.safer-networking.org/en/index.html
Shoot me an email at josh@easywdw.com if you need help and I’ll work with you to fix it.
This is one of the worst things that can happen to a website. Obviously, you need to trust me to provide a secure experience, whether you agree with any of the content or not. To help ease any fears and help guarantee against any future problems, I have purchased SiteLock Premium, a service that protects against all kinds of potential security problems. I also purchased service from We Watch Your Website, which offers full scans of the site for malicious content and potential threats every 30 minutes, among other things. We Watch Your Website worked from 7:30am through 3:30pm today fixing the problem and locking down potential future vulnerabilities.
It would be impossible for me to apologize enough over this attack and honestly I’ve been near tears (if I was a crier, I would have been crying) for the last 32 hours as I feverishly tried to plug the hole myself and then sought outside help. Ultimately, as these problems usually are, the fix was rather simple once it was found. I had gone to bed two nights ago excited that I had finally come up with a name for the new crowd mapping software, “CrowdPeak” and found out when I woke up that the site was in meltdown mode. Hopefully very few people were infected and it was only a day’s worth of Disney talk that was lost.
The forum is in no way infected (and never was), but the styling still needs an adjustment. It should be back “soon.” I’m sort of index.php’d out at the moment and I think I’m going to move on to the January Crowd Calendar. A preview of that calendar is available here: http://www.easywdw.com/news/january-2012-preliminary-disney-world-crowd-calendar/
{ 53 comments… read them below or add one }
← Previous Comments
I didn’t get any warnings and didn’t get infected either, like a lot of other people it seems. It’s always a good idea to run at least one of the programs mentioned in this post often and to keep the definitions (the word for what the programs use to search for malware) up to date.
Thanks Josh. I run malware often.
Josh so sorry you’ve had to deal with all this. I don’t think I got the virus but am running a virus scan now (I use AVG (free version) just to be sure. I also use Malwarebytes and Spy Bot.
← Previous Comments