How my wordpress blog got attacked and restored

On thursay Evening i came to my house at 6.00P.M and browsed some financial pages.  I am really so tired and slept while browsing. When i woke up at 9.00p.m my brother shouted at me that our desktop pc got attacked by some virus(Bit Defender Antivirus detects the virus.. Still now iam not aware about the virus name)and insisted me to use his laptop and told me not to use the desktop until he reinstalls the Windows operating system.

The Next day at 5.45a.m in the morning i found that my brother is working for his college seminar in his laptop. So I am thinking about starting my desktop. I found that my Antivirus had not yet loaded during windows startup. I was cautious about the virus so instantly i uninstalled my Filezilla software which i often use to upload files to my webserver where marketcalls and few more of my domains had hosted there.

At 6.00a.m(Approx)I started the anitvirus. It reads the virus and also informed that my Windows firewall had been deactivated. So I tried to activate my Windows Firewall. I opened the Windows Firewall Security settings from the control panel and noticed that it is different from the usual with few more buttons like check for malware,Detect Spam..etc. My brother insisted me not to do anything with the PC right now until he reinstall the Windows OS. But i am curious about check my PC for malware. When i click the “Check for Malware ” button in the Windows Firewall Settings the next moment my system got crashed.

My brother instantly reacted to the attack. He reinstalled the PC with Windows XP in next half and hour and once again shouted me again not to touch the desktop until all the things got settle(Until he installs all the essential  security softwares) and not even to touch his laptop. I lost all my database required for Amibroker which i stored in my local drive. We both left the house(my brother went to college and i went to my office)
Around 4p.m-5.00p.m i got few call from my readers and guest post authors that my site is blank with the following error

“Parse error: syntax error, unexpected ‘<' in /home/public_html/marketcalls.in/wp-includes/default-filters.php on line 230"

At the first time i thought that my wordpress site would be crashed. But later realised that my other wordpress hosted sites too gone down. Iam really confused. “How three site will go down in a one single go”. So I logged into statcounter to check for the last visit in my page. The page shows last visit to my page happened at 10.00a.m. It means that my website is down from the friday morning. I also got call from one of my friend that his wordpress also facing similar problem right from 12.00p.m.

I did some search about this wordpress crash in few web forums. Some one said that it is a code injection attack. And some pages reads that wordpress had crashed simply. I believed that at first sight i believed that my wordpress would be crashed because it is such a secure one and the password are difficult the crack. But I hadnt realised that the problem is not the passwords. I told my brother that all the three blogs got crashed. He got antonished and said that he will install the Bit Defender before iam getting engaged with my blog work once again.

When i came to my home my brother installed my PC with necessary security settings.  I downloaded the standard wordpress package from wordpress.org and tried to repace the crashed wp-include folder. My site got restored the next moment i replaced the wp-include folder in the Web-server

The next day in the morning i had seen that when iam trying to open my home page in my chrome brower it throws the warning that malware has been attacked in this blog.This virus infected in my blog  is not related to the host, but its related to client side malware.

I correlated the events that happened in the saturday morning that some how the virus/trojan could stole my FTP password which i use to login to my Webserver.  This malware gets the ftp details from the session, connects the site you last connected through ftp, downloads index.* (index.html, index.htm, index.php, index.aspx etc), inserts the iframe code and finally uploads back to the server. So I checked my html source code from the browser window. It shows that some different encryted code using base64 algorithm appended below the < /html> tag

I manually verified by viewing index.php pages and theme pages for any such code injection attacks in my blog and i found few additional codes in index.php file and arthemia index.php which is different from the usual one. Even though after deleting those malicous code i found that still the malware problem exist in marketcalls home page. I also tried installing WordPress security scanner. But it shows the possibilites of 6000 possibilites of such attacks in all the javascripts page used in marketcalls.

So the only solution is delete all the files and reinstall the wordpress once again freshly in the webserver. Simply done that. And after than changed my PC Password, FTP Password, Marketcalls admin password, username and also done the security guidelines for hardening the wordpress installation and make it hackproof by closing all the security loopholes.

Read the following links if you hold a self hosted wordpress account just like me

Iframe Injection Attack

11 Ways To Secure Your WordPress Blog

Did your WordPress site get hacked?

WordPress Injection Attack

Now everything is fine now an still monitoring my blog and kept a very close watch on that.

Related Readings and Observations

  • Godaddy Sites got hacked… Uh I restored mine! There is an undetermined number of sites hosted at GoDaddy Server that have been attacked and exploited and unfortuanely Mine is one among them. The scenario is the same as a few months ago: Malwar...
  • Financial Threats : Torpig botnet Here is a one hour video lecture from Google about botnet attacks and phising scams using mebroot rootkit(A rootkit is a software program or coordinated set of programs designed to gain control ove...
  • About Spam Comments in WordPress As a wordpress blogger, iam using Aksimet Plugin to Auto Segregate Good Comments(Ham) from the SPAM. Akismet is the brainchild of Matt Mullenweg, the founder of WordPress. Interestingly the guy is ...
  • Marketcalls is Safe and Secure Now Its safe and secure now. All the vulnerabilities in the site has been removed and more protection measures had been incorporated into this blog. Now members can freely roam into any part of this si...
Rajandran R

Rajandran is a trading strategy designer and founder of Marketcalls, a hugely popular trading site since 2007 and one of the most intelligent blog in the world to share knowledge on Technical Analysis, Trading systems & Trading strategies. More From Rajandran R »

15 comments… add one

  • Anuj Joshi March 21, 2010, 4:40 pm

    hi Rajandran
    Thats a long list of troubles that you faced.. Although I started blogging with word press..but this hosting stuff I couldn’t understand so shifted to blogger…
    There is this debate all over the internet whether Word press is better or blogger..and mostly people conclude that word press is a better platform…as it offer better customization(I have no idea about how that is done..as my knowledge about this host stuff is zero)
    Can the same thing happen to my blogger hosted blog….Is blogger more safe as the content is host by Google?…
    So if there is a virus in my PC can it go to my blog …and then go to other PC around the world ?
    If yes…how can this be prevented…
    Just enjoy your weekend and relax…you can answer my questions when ever you find time…In the meanwhile I will check your related links
    Cheers

    Reply
  • Sourabh March 21, 2010, 4:44 pm

    RAJENDARAN REALLY YOU DONE SUPERB WORK…I SALUTE YOUR ATTITUDE TOWARDS YOUR WORK.. .

    Reply
  • Rajandran March 21, 2010, 8:16 pm

    The first thing to understand about Wordpress is that there are 2 different versions. The first version would be the free, shared-hosting version at wordpress.com with doesnt supports google adsense. This is usually the easiest option to get up & running in just a few minutes. The second version is self-hosted and available as a download from wordpress.org. For this version you’d need to purchase your own web hosting space. Wordpress’ free, shared-hosting version is much better in terms of SEO than Blogger. Not only do blogs show up in Wordpress’ high-traffic directory, popular tags are often listed in organic search results of Google & Yahoo! linking to the most recent/popular blogs using that tag. Wordpress blog posts also tend to show up separately in organic search results more readily than Blogger or any other blogging platform.

    Wordpress’ interface is a little more advanced than Blogger, though still with some drag & drop functionality. Unlike Blogger, Wordpress(shared hosting) limits what kinds of widgets you can add to your blog’s sidebar. Certain forms of HTML and JavaScript are not allowed, limiting your ability to embed flash slideshows etc. Furthermore, Wordpress specifically states in their Terms that blogs about certain topics such as home business & affiliate marketing are not allowed. So even though the free version of Wordpress is better for SEO, it’s not the best option for bloggers who are involved in home business or affiliate marketing.

    Self-hosted Blogs: The Benefits

    Now, if you’re blogging for your business and looking for a solution that offers both functionality and great SEO capabilities, it’s best to purchase your own hosting and install the Wordpress platform from Wordpress.org. First off, you won’t be bound to the same restricting Terms of Use as you would be with the free, shared-hosting version of Wordpress (wordpress.com). This means that you’re blog can be completely commecial in nature and include as much or as little self-promotion and advertising as you feel necessary. Furthermore, free plug-ins allow you to add a variety of functions to your blog, from external SEO and traffic stats to external RSS feeds, widgets, geo-tracking (maps which show where your readers are coming from) and even social bookmarking icons and the ability to update your Twitter account each time you make a new blog post. The use of HTML and JavaScript are also allowed so that you can embed flash slideshows, videos and widgets, whereas this functionality is blocked with the free, shared-hosting version of Wordpress. Last, a self-hosted blog can be attached to your business’s website, providing fresh content each time you create a post or someone leaves a comment. This improves the SEO and search engine ranking of both your blog and the website it’s attached to, meaning that you don’t have to update your actual website to as much to increase your rank. Finally, self-hosted blogs come with a much larger variety of templates, allowing you to create a more original look for your blog (as opposed to the set 20 or so templates that are available with the shared-hosting version). And if you know a little HTML and/or CSS, you can take it a step further and customize your blog to match the look & feel of your website for a completely unique look

    While many stray away from this option because of the perceived costs, hosting can cost as little as $7 a month. Not to mention, if you’ve already got your own commercial website then you’ve already got hosting! Many hosting providers such as Yahoo! already have the Wordpress platform installed; you need only to activate it and choose your template to get started!

    The only draw-back to creating a self-hosted blog is initial set-up. While you don’t have to be completely techy, it does help to know things like CSS. It also helps to know a bit about hosting & FTP clients in order to properly install the Wordpress platform. Fortunately, there are plenty of tutorials out there that can teach you how to install Wordpress into your hosting account, and plug-ins usually come with install instructions as well. If you’re willing to sit down for about 2 hours, you can successfully install a blog that’s fully equipped with SEO built in and ready for the web! And for those who don’t want to bother with the extra hassle of optimizing your blog for the search engines, there are plenty of programs which offer pre-optimized Wordpress install packs with the proper plug-ins already incorporated. It may take more time to get up & running than the free, shared-hosting version, but the benefits are far greater!

    Reply
  • Rajandran March 21, 2010, 8:30 pm

    My my wordpress case the trojan which attacks my PC could probaly stolen my FTP password which i used to login into my webserver and could try to download the index.php files in from my webserver and remodified those files with additional malicious codes in it. In other words it is a code injection attack.

    If you find any of the blog’s view source code using your own brower and if you find any suspcious code below tag then there is a possibilities of malware to the cliend side system. i.e those who is viewing the site, the malicous code may either try to harm the visitor by throwing unwated virus into their system. These virus once again may try to explore for more FTP password and more security related issues. As per my knowledge Code Injection attack is very less intensity attack. Here peoples will be attacked if their PC’s are not properly protected.

    Its not a threat to my webserver but for those who visiting the blog.
    More over only Self hosted blogs and websites. In case of Blogger Blogs or shared hosted blogs its considered to be more secure as google and wordpress people takes more care in scanning their own system. There is a possibilites of such threats only if the blog owner injects the code in his own blog or else if your blogger password account got stolen from you.. this type of threat could happen.

    Whatever…. I feel secured now…. Let see Still Iam not closing my eyes now .Just constantly monitoring the issue

    Reply
  • sri March 21, 2010, 9:41 pm Reply
  • Rowdy007 March 22, 2010, 3:49 am

    Awesome man ………….

    Reply
  • Rajandran March 22, 2010, 7:35 am

    Thanks for the info sri.But if you search for this keyword in google

    wp-includes/default-filters.php on line 230″ you could find tons of code injected sites malicious sites

    In such a sites if a visitor see the message “This site may harm your computer” pop up when (s)he try to access your website/blog, (s)he may not return again. Remember that if the security of your website is compromised, it can affect the search engine rankings of the website. Besides, it may pave way for more sophisticated attacks.

    Google will mark your site in it’s search results with a warning: “This site may harm your computer”.

    If there is any history of Malware/Trojan Affected sites in case of doubt you can verify it with Google Safe browsing.

    http://www.google.com/safebrowsing/diagnostic?site=yoursite.com

    replace the yoursite with the corresponding domain before safer browsing or else try with norton safeweb

    http://safeweb.norton.com/

    Reply
  • Anuj Joshi March 22, 2010, 4:56 pm

    Hi Rajandran
    Nice article on word press and blogger…that pretty much sums up everything I wanted to know about word press
    Cheers…Thanks again

    Reply
  • Sujith March 22, 2010, 9:16 pm

    Hi, Rajendran
    I came across your blog a few days back in connection with Arthemia theme customization issue of one of my visitors. The next day I noticed an Iframe attack in your site and discussed about this with your friend. Any way it is happy to see that you have restored the site. Most of us are lazy to preserve the life saving medicine-backup.

    Reply
  • Rajandran R March 23, 2010, 8:40 am

    :)

    Reply
  • Rajandran R March 23, 2010, 8:47 am

    @Sri,

    Bit Defender had delivered a patch for the same
    http://www.bitdefender.com/site/KnowledgeBase/consumer/#638

    This is almost crazy! :x

    Reply
  • sri March 23, 2010, 5:15 pm

    Hi Rajendran,

    Yes, Bit defender accepted the faulty update and issued a patch for that.
    In your case if it was a virus attack then very bad.
    But if it was a false positive caused by the buggy update it is scary. The kind of software that can be pushed in via automatic updates…

    Reply
  • ravi March 23, 2010, 11:35 pm

    Hello sir,

    Unfortunately my laptop also got affected by the virus. On saturday, i just opened your website and before i could read your warning about virus, my system also got infected. At the end i had to reformat it and lost all valuable data/files. Intensity of the virus is so severe that it disabled my antivirus software and all drives leaving with no option but to format the system. Any how, congrats for restoring your site.
    Regards,
    Ravi

    Reply
  • Rajandran R March 23, 2010, 11:44 pm

    Ravi,Sorry for the Inconveniance caused. I too last most of my data. Still recovering what i had lost

    Reply
  • Kavita September 23, 2010, 5:18 pm

    Hi Rajandran,

    Thanks for the wonderful stock tips you give in your blog and on stockezy.

    I am also using arthemia theme for my blog SFIhomebizz.com, hosted on godaddy and I use filezilla to upload my files. 1 week back I found that some malicious code with lots of numbers and alphabets, that was getting added in most of the php files. I could not find any answer for this on internet.

    So, I simply removed malicious codes from all php files but next day the same code. After removing again the same code. After 3 times nothing more has happened. But just 1 hour back I tried to add a function to the functions.php which showed error like

    Parse error: syntax error, unexpected ‘}’ in /home/content/67/5849767/html/wp-content/themes/arthemia/functions.php on line 10

    so I removed the new function code and saved the file but amazingly error is still occuring and my blog on browsing is showing the same code.

    Is there no other choice like software that checks the faulty code and corrects rather than to add arthemia theme freshly.

    Looking for your sincere advice Rajandran. You can email me at contact@sfihomebizz.com or the email address I am mentioning in the comment form.

    Reply

Leave a Comment

Follow Us

Recommend on Google

About the Author

    • Rajandran is a Market Analyst and founder of Marketcalls, one of the most intelligent blog in the world to share knowledge on Technical Analysis, Trading systems & Trading strategies.