-
16 May 2009About the long downtime Fri & Sat
On Thursday May 14, approx 5pm US time, the website fell victim to a very recent malware exploit dubbed "Grumblar.cn" (also identified as "Js:Redirector" by the aVast antivirus software).
Reviewing the Kanji was in good company with much bigger sites like Variety.com and Tennis.com among the victims... though that is little consolation.
So how did it happen ?
Read on for the gory story, and some instructions for Windows users who would have visited the site yesterday, and who may have been exposed to the malware.First let me clear up a couple things:
- I'm using a fairly secure FTP password made of a lot of uppercas/lowercase letters mixed with random special characters, not something easily guessed.
- My computer is "clean", and I rarely ever use P2P programs or download "cracks" these days.
As I was doing an update yesterday by FTP, the trojan detected my password and sent it to the hacker's site. Just an hour later, their script logged in with my credentials and injected their code into 500+ files in a matter of SECONDS!
My best guess is that this trojan found its way into my computer because I had Windows Updates on "manual", and didn't use resident virus protection (I usually scan files, but don't run the cpu-hogging local protection). Since this exploit is very recent, many infected websites are not yet blacklisted, and Google Chrome wouldn't show the security warning. On top of that, I found out that both aVast and Malware Bytes could not detect the trojan unless the virus database was just a COUPLE days old!
Which brings me to this important observation: if you use an anti-virus leave the automatic updates on, otherwise they are simply useless. Next, if you're a sucker for optimization like me, then I would recommend with aVast to keep at minimum the "Web Shield" and "Network Shield".
I was also being over-confident with the non-Internet Explorer websites. This javascript malware exploits vulnerabilities in the Flash and Adobe Acrobat Reader plugins. This means that you can catch the malware regardless of which browser you use! A good lesson learned!
These are the steps I took to clean up the site and make sure it doesn't happen again:- First I removed the trojan with the help of this article.
- After removing the Trojan I was able to update the virus database of aVast Home Edition and Malware Bytes. I ran a complete scan and nothing else was found. Again I want to point out the fact that a complete scan with a virus database dated 10 May did not detect anything!
- After verifying that the trojan was gone (it blocked regedit and cmd.exe among other things), I updated the FTP password.
- Switched Windows Updates to automatic instead of manual.
- Enabled some resident protection in aVast: "Network shield" and "Web shield". aVast displays a warning if you access a page with this malware.
- Using a local copy of the production environment, I uploaded again all the php, html and javascript files. I double checked all the files with a FTP log of the hacker's script and all the files they touched. Because my local copy was not 100% up to date, and contained some experiments, it made the "restoration" process longer and more difficult.
FOR WINDOWS USERS:
The easiest way to check that your computer is clean is to go to the Start menu, choose "Run..." then type in "cmd" or "regedit" and press Enter. If you don't see the command shell window, or the regedit window, and the desktop seems to redraw itself, then you may have the trojan. Hopefully nobody will have been infected between the time the site was hit and when I was able to take it down. If you think you caught the trojan on a Windows OS, please post in this topic and I'll do my best to help.
I'm really sorry and sincerely hope nobody's computer was infected through this site. I've taken steps that I believe will make this very unlikely to happen in the future.
With that said, there's only so much you can do when you use Windows! This experience was a good reminder that not using IE is in fact NOT a guarantee for virus/malware protection.
Many thanks to member Burritolingus who first reported the problem.
By Month
- Nov 2024 (1)
- Sep 2024 (1)
- Jun 2024 (2)
- May 2024 (4)
- Apr 2024 (3)
- Mar 2024 (1)
- Feb 2024 (1)
- Dec 2023 (1)
- Nov 2023 (2)
- Oct 2023 (2)
- Apr 2023 (2)
- Mar 2023 (2)
- Feb 2023 (1)
- Jan 2023 (2)
- Dec 2022 (1)
- Nov 2022 (2)
- Oct 2022 (3)
- Sep 2022 (1)
- May 2022 (4)
- Apr 2022 (1)
- Feb 2022 (2)
- Jan 2022 (2)
- Dec 2021 (4)
- Nov 2021 (2)
- Oct 2021 (2)
- Sep 2021 (2)
- Aug 2021 (1)
- Apr 2021 (2)
- Feb 2021 (3)
- Jan 2021 (3)
- Dec 2020 (1)
- Nov 2020 (1)
- May 2020 (1)
- Apr 2020 (1)
- Jan 2020 (1)
- Oct 2019 (1)
- Sep 2019 (1)
- Aug 2019 (4)
- Jul 2019 (3)
- Jun 2019 (1)
- May 2019 (1)
- Mar 2019 (2)
- Jan 2019 (1)
- Nov 2018 (3)
- Oct 2018 (8)
- Sep 2018 (4)
- Aug 2018 (3)
- Jul 2018 (1)
- Jun 2018 (4)
- May 2018 (1)
- Apr 2018 (1)
- Mar 2018 (1)
- Jan 2018 (1)
- Dec 2017 (6)
- Nov 2017 (4)
- Oct 2017 (4)
- Sep 2017 (5)
- Aug 2017 (5)
- Jun 2017 (3)
- May 2017 (2)
- Apr 2017 (3)
- Mar 2017 (7)
- Feb 2017 (10)
- Jan 2017 (11)
- Dec 2016 (6)
- Nov 2016 (5)
- Oct 2016 (6)
- Sep 2016 (7)
- Aug 2016 (3)
- May 2016 (1)
- Mar 2016 (2)
- Jan 2016 (1)
- Dec 2015 (3)
- Nov 2015 (1)
- Oct 2015 (1)
- Sep 2015 (7)
- Jul 2015 (2)
- Jun 2015 (1)
- May 2015 (5)
- Apr 2015 (4)
- Mar 2015 (5)
- Feb 2015 (4)
- Jan 2015 (5)
- Dec 2014 (4)
- Nov 2014 (3)
- Oct 2014 (2)
- Jun 2014 (1)
- Apr 2014 (2)
- Mar 2014 (4)
- Feb 2014 (3)
- Jan 2014 (4)
- Dec 2013 (2)
- Oct 2013 (1)
- Sep 2013 (1)
- Jun 2013 (4)
- May 2013 (1)
- Mar 2013 (1)
- Jan 2013 (2)
- Oct 2012 (2)
- Aug 2012 (1)
- Jul 2012 (2)
- Jun 2012 (2)
- May 2012 (1)
- Mar 2012 (2)
- May 2011 (1)
- Apr 2011 (4)
- Mar 2011 (3)
- Feb 2011 (2)
- Jan 2011 (2)
- Dec 2010 (8)
- Nov 2010 (8)
- Oct 2010 (3)
- Sep 2010 (3)
- Aug 2010 (1)
- Jul 2010 (2)
- Jun 2010 (5)
- May 2010 (1)
- Apr 2010 (3)
- Mar 2010 (4)
- Feb 2010 (2)
- Jan 2010 (1)
- Dec 2009 (5)
- Nov 2009 (5)
- Oct 2009 (1)
- Aug 2009 (1)
- May 2009 (5)
- Apr 2009 (2)
- Mar 2009 (1)
- Feb 2009 (2)
- Jan 2009 (2)
- Nov 2008 (1)
- Oct 2008 (1)
- Sep 2008 (1)
- May 2008 (2)
- Apr 2008 (1)
- Feb 2008 (6)
- Jan 2008 (5)
- Dec 2007 (6)
- Oct 2007 (1)
- Sep 2007 (2)
- Aug 2007 (3)
- Jun 2007 (1)
- May 2007 (5)
- Apr 2007 (1)
- Mar 2007 (2)
- Feb 2007 (1)
- Jan 2007 (4)
- Dec 2006 (3)
- Aug 2006 (1)
- Jun 2006 (3)
- Apr 2006 (6)
- Mar 2006 (8)
- Feb 2006 (1)
- Jan 2006 (4)
- Nov 2005 (1)
- Oct 2005 (4)
- Sep 2005 (1)
- Aug 2005 (11)