http://www.clker.com/cliparts/9/1/4/0/11954322131712176739question_mark_naught101_02.svg.med.png

We’ve been getting errors/reports that Dvorak’s blog has been hacked and has malware on it. I’m the admin and I can’t find it. Could use some help and advice to figure this out. Email marc@perkel.com

Thanks in advance.

NOTE FROM JOHN. It currently appears as if Google itself is hacked or specifically targeting this blog. If you are reading this try this experiment which just worked for me. Go to Google then do a search for the blog. Just search for Dvorak. When you see “Dvorak News Blog” click on that and come to the site from Google. BINGO MALWARE. This is backed up by Google’s own self analysis which the company seems unaware. Click here to see.

FIXED!

Found code in the wp-config.php file.

 



  1. Snowbound says:

    What about those of us who foolishly bypassed google’s warnings because we were assured that there was no infected files only to discovere later that your wp-config.php was indeed serving up malware via s script?

  2. Hmeyers says:

    So the short version is that the hack cleverly delivered malware to IE and Opera users visiting this site.

  3. Grandpa says:

    Still getting error from Firefox. When I scan with Bit Defender after visiting the site nothing is detected.

    • Hmeyers says:

      Look, captain, you aren’t going to understand. Go back to reading your newspaper and getting a chuckle at “Peanuts” strips.

      Spoilers: Lucy tricked Charlie again and he didn’t get to kick the football.

  4. Jim in the Truck says:

    Norton came up with this tonight

    Category: Intrusion Prevention

    05/04/2013 21:30:24,High,An intrusion attempt by knmccnhwqf.dsmtp.com was blocked.,Blocked,No Action Required,Web Attack: Blackhole Toolkit Website 33,No Action Required,No Action Required,”knmccnhwqf.dsmtp.com (151.248.123.170,80)”,knmccnhwqf.dsmtp.com/xlawr/next/requirements_anonymous_ordinary.php,”JIM_WORK (192.168.0.130,49889)” ,151.248.123.170 (151.248.123.170),”TCP, www-http”
    Network traffic from
    knmccnhwqf.dsmtp.com/xlawr/next/requirements_anonymous_ordinary.php matches the signature of a known attack.

    in the past I have gotten what I call a “Dvorak Storm”
    where your page just acts like a “p0rn storm” but this is new

  5. Muddauber says:

    Yes, I’m getting it flagged by Bullguard.

    It will take weeks for the site to be clean and cleared for viewing. You can speed up the process by submitting a request for reviewing the site to SpamCop and others and that can speed up the process.

    Also, there is submission to Google that will review the site if you KNOW you got it all. So much for WordPress…..

  6. Baron says:

    You now have new ones. I suggest you change your passwords and review your plug ins. It smells like simple FTP access by hackers.

  7. Jerrod Pratt says:

    NOTE FROM JOHN. It currently appears as if Google itself is hacked or specifically targeting this blog. If you are reading this try this experiment which just worked for me. Go to Google then do a search for the blog. Just search for Dvorak. When you see “Dvorak News Blog” click on that and come to the site from Google. BINGO MALWARE. This is backed up by Google’s own self analysis which the company seems unaware. Click here to see.

    • Snowbound says:

      Please don’t repost that. The site was hacked via the wp-config.php file that was serving up malware. That does not mean that was the only infection. Perhaps its best to restore it from a backup that you know is clean.

      • Hmeyers says:

        What’s it matter if he reposts it? He just describe the primary characteristic of how the malware works.

        Sure he’s trying to dismiss it, but he clearly didn’t read that this is exactly how the infection works.

        Him not understanding what the script does or even if he did, doesn’t relate to it be present. It’s not like blog posts caused it or propagate it.

        Even ignorance doesn’t make it better or worse.

  8. LibertyLover says:

    I think it’s a government conspiracy; this is one of the last uncensored locations on the net that doesn’t require a login paper trail.

  9. DJ says:

    Still blocked via Chrome and available with Firefox. I cleared cache and flushed DNS, but was still blocked using Chrome

  10. Dave Koss says:

    As of Sunday the 5th at 6:26 California time, Safari is still reporting malware, but not Chrome.

  11. fishguy says:

    This is fascinating! When I initially got blocked with Chrome, I immediately re-launched Chrome inside Sandboxie. Still blocked. However, now that my browser was “sandboxed”, I proceeded to the site.

    I am fascinated by the comments, guesses, and speculations. It is resulting in a very interesting social experiment, I think. Obviously, no one knows what is happening.

    I know I am renewing my quest for a safe and reliable news-feed. HAM, maybe. This internet thing doesn’t seem to be working.

    Maybe that’s the answer for No Agenda. Go all HAM broadcast with delivery of encrypted MP3’s to subscribers only.

    • Hmeyers says:

      It’s a publicity stunt. They sat around the table low on ideas, Marc Perkel puts hands behind his head and kicks and leans back and says “Guys! I’ve got it … I’ll load a malware script that gets us blocked by Google and John can write a conspiracy column and talk about it for weeks.”

  12. Shaking my head says:

    > Dvorak’s blog has been hacked and has malware on it. I’m the admin and I can’t find it.

    REALLY?!?! I’m shocked! Shocked!

    Just about every single post by mperkel is riddled with ignorance and incompetence.

    Now we can watch as he pathetically flails against leet hackerz.

    My prediction? Dvorak will continue to embarrassingly blame google, and the site will be redone from scratch as it turns out mperkel doesn’t even have decent backups.

    • Tim says:

      Dude, You are kind of a douche. This kind of thing happens to everyone every now and then — government sponsored attack, or not.

      I applaud this blog for being forthcoming with this little (possibly communicable) blemish. Did your girlfriend ever do that for you before your dick fell off? Or did she tell you it was just because she had bit her lip whilst eating a blackberry?

      Well mr. shaking your rotten tip off, I’m a newbie here and even I can recognize a shill that’s just above his pay-grade.

      • Shaking my head says:

        As you said, you’re a newbie.

        Stick around and enjoy mperkel’s contributions.

        It’s rare for a post of his (usually just a sentence or two) to be free of grammar and spelling errors. And his posts on tech issues are laughable.

        • Tim says:

          Ohh, a *grammer nazi* ayy? And here I was just thinking that you’de be vindicated as a LISP coder…

          http://youtube.com/watch?v=N4vf8N6GpdM

        • a nazi of grammar says:

          The problem element is “And”. If you had written “Also,” the sentence could, at least, be referenced to the proceeding one. As it stands, please log into 8.8.8.8 and de-res.

          • Shaking my head says:

            I guess the difference is I’m not posting on a blog named for a professional writer (and a tech one), but merely making casual comments.

        • Tim says:

          WHAT, Shaking my head??:: “…I’m not posting on a blog named for a professional writer…”

          Well, as I assumed that tripe was as an artifact of *fat fingers* such that you weren’t really posting here, you are forgiven.

      • So What? says:

        Tim Said “Dude, You are kind of a douche.” and “I’m a newbie here”. Yes Tim I think we would agree, you are.

  13. Quarnicus says:

    5/5/13
    this is what IE spits out from google….
    no problem with yahoo…

    Safe Browsing
    Diagnostic page for dvorak.org
    What is the current listing status for dvorak.org?

    Site is listed as suspicious – visiting this web site may harm your computer.

    Part of this site was listed for suspicious activity 4 time(s) over the past 90 days.

    What happened when Google visited this site?

    Of the 120 pages we tested on the site over the past 90 days, 19 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-05-05, and the last time suspicious content was found on this site was on 2013-05-04.
    Malicious software is hosted on 9 domain(s), including hvdqroibk.port25.biz/, n8szrpm7fc.servebeer.com/, htensj.xxuz.com/.

    This site was hosted on 1 network(s) including AS6939 (HURRICANE).

    Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, dvorak.org appeared to function as an intermediary for the infection of 3 site(s) including dvorak.com/, t.co/, feedly.com/.

    Has this site hosted malware?

    Yes, this site has hosted malicious software over the past 90 days. It infected 4 domain(s), including dvorak.com/, t.co/, curry.com/.

    How did this happen?

    In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

  14. Grandpa says:

    Sorry John, as of 5:04 PM on 5-5-2013 the site is still reporting the same issue from my end. I have to do an ignore in order to get here. Still no actual infection to my computer from being here.

    • Captain Obvious says:

      Although there is always a possibility of problem from this type of hack, it’s highly unlikely you’d get anything. Facebook is probably more dangerous.

  15. Adam Curry says:

    What a bunch of assholes commenting here.

    The ‘malware’ (used to boost seo ratings on google) was removed over 24 hours ago, yet the ‘malware warnings’ remain in place.
    I thought readers of this blog had a sense of humor AND were smart.

    You truly have no idea how bad this really is.

    You will be the first ones on the train.

    Adios MoFos.

  16. AVG notified me of Exploit Invisible IFrame Injection (type 1707)
    when i entered the page 6:45 5/5/13.

  17. Dallas says:

    Is the blog disease free yet ? Lots of stuff is happening out there to complain about. DOW is at 15,000 and Obama said something about gun violence

    • Hmeyers says:

      > DOW is at 15,000

      Because of inflation of the dollar.

    • deowll says:

      Hay, you left out unemployment is down! That’s good news unless you also know that participation in the workforce hasn’t gone up.

  18. t0llyb0ng says:

    Condi were unstable
    & insertiously insatiable

    She displayed her derriere
    & flaunted her
    posterior pelvicular arear

  19. orchidcup says:

    This is the message I get when your site is blocked by the Chrome browser:

    What happened when Google visited this site?

    Of the 120 pages we tested on the site over the past 90 days, 19 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-05-05, and the last time suspicious content was found on this site was on 2013-05-05.

    Malicious software is hosted on 10 domain(s), including hvdqroibk.port25.biz/, n8szrpm7fc.servebeer.com/, htensj.xxuz.com/.

    This site was hosted on 1 network(s) including AS6939 (HURRICANE).

    Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, dvorak.org appeared to function as an intermediary for the infection of 3 site(s) including dvorak.com/, t.co/, feedly.com/.

    Has this site hosted malware?

    Yes, this site has hosted malicious software over the past 90 days. It infected 4 domain(s), including dvorak.com/, t.co/, curry.com/.

    How did this happen?

    In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

  20. Oldnuke69 says:

    Still getting the warning when coming in through Google at 3:30 PM EDT 5/6/2013. No problem when following the link from John’s article on PC Magazine.

  21. Captain Obvious says:

    So the long national nightmare is over. dvorak.org is no longer blacklisted!

  22. Captain Obvious says:

    For the record, how long did the appeal take?

  23. Trex says:

    If this domain was not owned by someone who writes columns for PC Magazine, it would still be blacklisted. And you’d prolly be best off just to just take a shovel and bury the domain, cause it would never come off the G-List.

    Just try to get a response from anyone at Google if you are not some hotshot journalist.

    • Captain Obvious says:

      I know people who have been through this with their sites. The response from Google is about the same.

    • Rider says:

      I know several no name sites that were taken off the list quicker.

      Can we all stop bashing the company that had to basically force Dvorak to admit he was wrong and stop spreading malware.

  24. Grandpa says:

    A OK now! My favorite blog is back on. Thank you.

  25. macs says:

    Hope you guys issued an apology to Google for the pretty damning accusations around this on twitter.

  26. Grey Bird says:

    I got the blocked message from McAfee SiteAdvisor first, I assumed something got injected into the page and just checked back a few times until the site came back. The weird thing to me, is that the message by McAfee stayed in the window for a little bit and then was replaced by what I assume is the Google message Firefox displays.


0

Bad Behavior has blocked 5520 access attempts in the last 7 days.