We’ve been getting errors/reports that Dvorak’s blog has been hacked and has malware on it. I’m the admin and I can’t find it. Could use some help and advice to figure this out. Email marc@perkel.com
Thanks in advance.
NOTE FROM JOHN. It currently appears as if Google itself is hacked or specifically targeting this blog. If you are reading this try this experiment which just worked for me. Go to Google then do a search for the blog. Just search for Dvorak. When you see “Dvorak News Blog” click on that and come to the site from Google. BINGO MALWARE. This is backed up by Google’s own self analysis which the company seems unaware. Click here to see.
FIXED!
Found code in the wp-config.php file.
It’s worth pointing out that while you may have found the code injection in wp-config.php, that’s the symptom and not the cause. Bad guys can’t modify your PHP files unless they have ANOTHER way in to the site.
It’s usually a wordpress plugin or theme that is to blame, but bad passwords are also a common problem. And more interestingly still, there’s a fairly common variety of malware that, when your desktop computer gets infected, will send all of your saved FTP and admin passwords to the hacker.
If you don’t find and fix the hole, you’ll be back here again in a day or two.
Not fixed.
Adblock and flashblock both just crashed?
Something is clearly broken here.
I’m using Google Chrome v26.0.1410.64 m.
If I type dvorak.org into the address bar, Chrome (not Google.com) tells me it’s a bad malware site.
Then I clicked the “Advanced” option and it tells me all kinds of bad things. Then I re-type dvorak.org into the address bar, Chrome once again tells me it’s a bad malware site.
But when I click “Advanced” again, I get the option to proceed at my own risk, and I can get here.
I’ve had a similar experience a few weeks ago with a different web-site (I don’t remember exactly which one). The next day it was working again.
I suspect it is Google’s black-list which is the problem. Probably some other wordpress site got hacked, and Google (or someone) decided to black-list them all.
This is not correct. Google does not block all sites that use a specific piece of software such as WordPress – that would result in blocking a giant number of sites since WordPress is very popular. This specific sites has been hacked, ad has been confirmed by the administrator in this post and a comment. It has been blocked because it has been unwilling serving malicious code to everyone who visits it. This code has been injected into this site by finding a security whole in the software that powers this site.
You’re self hosting a WordPress site. You may as well paint a bullseye on your forehead.
I assume the line you removed started with something like eval(base64_decode(“Bgh…. You may have more configuration files whacked. Check:
cd /path/to/wordpress/install
grep -r base64 ./*
If you find more use a sed command to remove them. Be careful doing it and make sure you have recent backups.
Next, harden your server. Seriously just do it. Also, review and update your extensions.
Next, moderate your comments. You often have lots of links to spammers. You’ve got to clean out the comments and links to the infected sites. Blacklist the IP addresses from the commenter (won’t help much but why not?) and maybe consider removing the “website” link from your comment form.
As for Google, fill out the webmaster forms and you’re going to have to wait a bit. It looks like you’ve also dinged t.co and feedly. Google will rescan your site and intermediaries before they’ll wave the all clear. Google is pretty good once you’re clean but all that takes time and they get 10’s of thousands of these per day.
John can probably expedite the Google part because he’s got backdoor channels.
P.S. Don’t use a sed command on multiple files unless you’re really comfortable doing it.
Also the spammer comments aren’t that big of a deal except that you want your site clean before the next rescan. Clean up the comments from the last 21 days.
Hmmm… “Clean up the comments from the last 21 days.”
Seems a wee bit arbitrary? Or is that just best practice kind of advice? I think I’ll go back twenty one days and see if I can spot an ‘Inconvenient Link.’
Ohh, never mind. Sorry, I guess you got that number from the supplied Gubbel report. Now if you had said “33 days”…
I prefer 666 days, just to be safe. Most scanners roll a 3 week history. Google’s is longer but it’s weighted.
What happened when Google visited this site?
Of the 118 pages we tested on the site over the past 90 days, 19 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-05-03, and the last time suspicious content was found on this site was on 2013-05-03.
Malicious software is hosted on 7 domain(s), including hvdqroibk.port25.biz/, lgxejfm.zapto.org/, cnsycrdv.organiccrap.com/.
This site was hosted on 1 network(s) including AS6939 (HURRICANE).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, dvorak.org appeared to function as an intermediary for the infection of 3 site(s) including dvorak.com/, t.co/, feedly.com/.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 3 domain(s), including dvorak.com/, t.co/, feedly.com/.
I’m accessing this site with an iPhone until its been cleansed. Chrome browser said “whoa , you don’t wanna go there “
The desktop versions of Chrome and Safari use Google’s Safe Browsing program. Phones and tablets don’t use it to reduce network traffic.
And Firefox too. Don’t know about IE, don’t care. Try Opera if you’re in the mood.
Still getting warnings and a “safety redirect” while using Firefox at 8:58 pm CST on 05/03/2013.
Sitecheck is reporting no redirects which is good. But you’re still blacklisted (well no duh?). Remember that your top level domain is also blacklisted. You’ll want to confirm both dvorak.org and dvorak.org/blog have the blacklist lifted by Google.
One last question, have you locked down your .htaccess file?
It’s a government CIA/NSA conspiracy!
My girl rode me
& disclothed me
I checked with a couple of people who know this stuff well. Once your site is clean and you’ve filled in the Webmaster request it generally takes a few hours to a day for the blacklist to be removed. All this is stuff is automated so it goes pretty quickly if you do it the “Google Way”.
Also, your site attack was probably automated so you harden it up before it happens again.
Rogue without the detail sufficient to give appear valid says: “Of the 118 pages we tested on the site over the past 90 days, 19 page(s) resulted in malicious software being downloaded and installed without user consent. //// I don’t doubt this at all…… but….. please define malicious software? I visit DU EVERY DAY which means I should have 19 pages of malicious software on my machine?
Is this why Firefox freezes on Youtube?? So does IE but not 100%, and Opera is 100% working on Youtube.
Can you be ever so kind, informative, and helpful by stating SPECIFICALLY what threat a visitor is exposed to here?
My bittorrent program is listed as a threat on every scan I ever do but I’ve been using it for years and will continue to do so.
In advance……. you really ought to be more specific.
Blow your browser caches away. Get rid of any old Java plugins for your browser. Get rid of Flash.
Firefox is sucking because it needs a rewrite. IE chunders because it’s IE.
From Matt Cutts’ blog for all you Google conspiracy theorists out there. 😉
organiccrapDOTcom… LoL. So, it’s all about the seeds then? Probably an RIAA polluter-bot gone rouge {it’s hard to teach a machine context}.
A similar kind of thing happened to John Young over there at Cryptome awhile ago — Also powered by WP.
An interview with Mr. Young concearning that hack — his conclusion? *Posers, all* or words to that effect:
http://betabeat.com/2012/02/whistleblowing-website-cryptome-hacked-conspiracy-theories-do-not-abound/
PHP strikes again.
Great that you fixed the problem but it is pertinent to let us know what on earth you let us download onto our pc’s.
DU wasn’t infected with anything so they can’t tell you what, if anything, affected your computer. There was a hidden link on some of the pages which try to side load nasties to your computer using JavaScript, Flash, or something similar.
The sites listed in the redirect warnings from Google will rotate frequently and have different exploits, Trojans, worms, etc. It sucks that this site was hacked but it’s up to the user to protect themselves.
DU was at least forthcoming and honest about the problems. Maybe a little (OK, a lot) conspiracy prone but they haven’t hidden anything. If you’re worried, take appropriate security measures, which you should do anyways.
I was using Chrome and it’s also telling me this site has malware the moment i click on my bookmark. Right now I’m on a virtual PC running firefox, just in case there’s something wrong with the site here, but I figured it was BS.
Looks like John got Scroogled!
Both chome, and Firefox on windows 8, and Firefox on a virtual PC running XP, gave me warnings about this site today.
Right now I’m accessing this page on Haiku OS (based on BeOS) on a virtual PC, using it’s craptacular web browser “BeBook.” So there’s no way im gonna get hacked on this when this OS is from what I understand NOT based on Linux.
Sure is a WEIRD OS to use, kina reminds me of GEM interface… bleah.
Not fixed. I still get the error
IDEA..
1. scan all the posts for the links listed. Iv noted them before, while watching RSS of all posts.
1a. Check links encoded in NAMES
2. do the Scripts used, LINK to other locations that could be hacked?
3. its a SCAM report
4. someone is reporting your site.. Any way to contact google?
PHP injection, you’ve been injected son..
Clearly the Obama DHS has failed again to protect America.
It’s still blacklisted but the problem is gone. Just waiting till they look at it again.
AVG caught the problem on my rig. IE never blinked. I Wonder what else IE does not find?
Since Sunday is Must see TV, It is going to be a all device Sunday mal-ware scan a thon.
How do you scan Google TV devices and chrome books reliably?
Can the malware migrate from a win PC to chrome book or Google TV or vise versa?
Dvorak blog is my homepage. Time to get some boots on the ground and feet in the air. Everytime I log into Firefox I get the stupid message. I just ignore it and carry on. I trust ya Johnny!
As of 5/4/13 at 10:43 am, California time. It is still flagged as infected.
Still showing as flagged in Chrome at 12:55 Central
it is in opera to
Still flagged! (5-4-13 @ 13:00 MST) Had to access this site using a bootable Ubuntu 12 ISO from a VM (so that none of that Google “malware” infects my PC).
You (JCD) may like to check your advertisers and whatever code is coming though in those add windows (not that I would know since I block ad window junk as well as nearly every other Java thingy). I recall this problem popping up before way back in the Cranky Geeks days once too.
Then again, it does seem that security settings in most major browsers are now blocking “reported attack sites.” As you may know, this “feature” has nothing to do with any hacked DNS tables or anything. And just to be sure, I tried differend DNS servers like OpenDNS (at 208.67.222.222 and 208.67.220.220) as well as a few others including Google and my ISP’s own default DNS server just to be sure.
… Of course, this may instead be partly due to a previous article regarding how Firefox isn’t all that private! (Seems JCD may have pissed off the Mozilla developers with that one.)
Even after submitting that comment, this site was AGAIN blocked! (Nice to see that my previous comments still made it though.) I had to again uncheck the security setting in Firefox that blocks “reported attack sites” just to refresh the page and come back.
It really does seem like this site somehow pissed someone off at Google, Mozilla or go bot bitten or somthing. Personally, I’m thinking that some douche-bag politico-jerk did it with a hyperlink in a comment which was then identified by one of those Google bots! (Have you looked?)
Seems Google WILL have their way regarding all censorship everywhere when they block web sites over blog comments. Don”t you just love those DMCA Chickel Little assholes?!
Tried posting from my Mac, no luck. I still get malware notice in Safari.
All seems well n the ipad though
Expect effeminate trolling from pedro now.
Here’s the gory details.
If you find it boring then go with the alternate theory. Google paid North Korean hackers to attack the site since Dvorak revealed that the CIA is keeping the corpse of Patsy Cline frozen for alien-human cloning experiments.