Some sort of worm / virus / spam machine or whatever on my site (maybe it’s been there for two days) and so my site was flagged by Google. Actually – this was a good thing, but it sure would be nice to get a warning first. Almost as soon as the ISP guy and me looked at the files on the site, you could see something was wrong. There were all sorts of files that had multiplied on the site – mostly what they did was to create html pages which would take you to another place where you’d be tricked somehow into buying something.
What we ended up doing was restoring the site to how it was about five days ago, and from what I could see, everything was clean, but that doesn’t mean that there’s isn’t a bomb waiting to go off in a php file somewhere. So I’m working on what they call “hardening” the site – so that even if this thing goes off – it can’t do the type of writing it did last time.
In the meantime, I did a full scan of my laptop, and of course McAfee didn’t find any worms or anything on my machine. So the question still is – where did this bomb come from and how did it arrive?
That’s what I don’t know. And since I don’t know – it means it can happen again.
If you’re reading this in explorer – then you probably have no idea what I’m talking about. If you are in Firefox, then you are getting a red warning screen. And also in Google there is a warning posted by my site. Perfect to drive customers away.
And I know that two pics need to be re-uploaded. But I’m working very gingerly with the site right now. And would you believe that with all this going on – two nice orders came in today. Which means that I don’t think you get all the warnings if you are using IE. Basically, I’m watching some directories to see if anything mysterious appears there like it did before or whether I did clean everything out. I also ran a bunch of trojan horse and worm finding software but nothing was found.
To me, it seemed like there may have been a WP plugin with a worm in it – timed – it would have had to be – or that there is some other hole in PHP that anyone who knows how to can exploit. Linux huh. Oh boy – let’s see what tomorrow brings.
* * * * *
Yes, it’s cleared up – for now. I don’t know the source of the infection, which means that it can and probably will happen again. I’m working on fighting the attacks – which do continue. In other words there are robot programs set up to try and crack my site. I know this because I now get emails when their IP has been blacklisted. The IPs are coming from Japan, China and Russia right now.
My local machine, btw, was clean (it took 6 hours to do a complete scan of all the drives).
I need to look into wordpress holes, because this is definitely WORDPRESS related. All of the faux html that was put on the site could only have been done with something that knew the wordpress directory structure.