• 16 May 2009About the long downtime Fri & Sat

    On Thursday May 14, approx 5pm US time, the website fell victim to a very recent malware exploit dubbed "Grumblar.cn" (also identified as "Js:Redirector" by the aVast antivirus software).

    Reviewing the Kanji was in good company with much bigger sites like Variety.com and Tennis.com among the victims... though that is little consolation.

    So how did it happen ?

    Read on for the gory story, and some instructions for Windows users who would have visited the site yesterday, and who may have been exposed to the malware.

    First let me clear up a couple things:

    • I'm using a fairly secure FTP password made of a lot of uppercas/lowercase letters mixed with random special characters, not something easily guessed.
    • My computer is "clean", and I rarely ever use P2P programs or download "cracks" these days.
    Still, I found a trojan on the computer.

    As I was doing an update yesterday by FTP, the trojan detected my password and sent it to the hacker's site. Just an hour later, their script logged in with my credentials and injected their code into 500+ files in a matter of SECONDS!

    My best guess is that this trojan found its way into my computer because I had Windows Updates on "manual", and didn't use resident virus protection (I usually scan files, but don't run the cpu-hogging local protection). Since this exploit is very recent, many infected websites are not yet blacklisted, and Google Chrome wouldn't show the security warning. On top of that, I found out that both aVast and Malware Bytes could not detect the trojan unless the virus database was just a COUPLE days old!

    Which brings me to this important observation: if you use an anti-virus leave the automatic updates on, otherwise they are simply useless. Next, if you're a sucker for optimization like me, then I would recommend with aVast to keep at minimum the "Web Shield" and "Network Shield".

    I was also being over-confident with the non-Internet Explorer websites. This javascript malware exploits vulnerabilities in the Flash and Adobe Acrobat Reader plugins. This means that you can catch the malware regardless of which browser you use! A good lesson learned!

    These are the steps I took to clean up the site and make sure it doesn't happen again:

    • First I removed the trojan with the help of this article.
    • After removing the Trojan I was able to update the virus database of aVast Home Edition and Malware Bytes. I ran a complete scan and nothing else was found. Again I want to point out the fact that a complete scan with a virus database dated 10 May did not detect anything!
    • After verifying that the trojan was gone (it blocked regedit and cmd.exe among other things), I updated the FTP password.
    • Switched Windows Updates to automatic instead of manual.
    • Enabled some resident protection in aVast: "Network shield" and "Web shield". aVast displays a warning if you access a page with this malware.
    • Using a local copy of the production environment, I uploaded again all the php, html and javascript files. I double checked all the files with a FTP log of the hacker's script and all the files they touched. Because my local copy was not 100% up to date, and contained some experiments, it made the "restoration" process longer and more difficult.
    If you are a Windows user, AND you visited the website Thursday after approx. 5 PM US time until the website was taken down, and you didn't have all the latest Windows updates AND didn't use resident virus protection, I would highly recommend that you run a complete hard drive scan with Malware Bytes, and make sure that the virus database is dated 14 May or later.

    FOR WINDOWS USERS:

    The easiest way to check that your computer is clean is to go to the Start menu, choose "Run..." then type in "cmd" or "regedit" and press Enter. If you don't see the command shell window, or the regedit window, and the desktop seems to redraw itself, then you may have the trojan. Hopefully nobody will have been infected between the time the site was hit and when I was able to take it down. If you think you caught the trojan on a Windows OS, please post in this topic and I'll do my best to help.

    I'm really sorry and sincerely hope nobody's computer was infected through this site. I've taken steps that I believe will make this very unlikely to happen in the future.

    With that said, there's only so much you can do when you use Windows! This experience was a good reminder that not using IE is in fact NOT a guarantee for virus/malware protection.

    Many thanks to member Burritolingus who first reported the problem.