On thursay Evening i came to my house at 6.00P.M and browsed some financial pages. I am really so tired and slept while browsing. When i woke up at 9.00p.m my brother shouted at me that our desktop pc got attacked by some virus(Bit Defender Antivirus detects the virus.. Still now iam not aware about the virus name)and insisted me to use his laptop and told me not to use the desktop until he reinstalls the Windows operating system.
The Next day at 5.45a.m in the morning i found that my brother is working for his college seminar in his laptop. So I am thinking about starting my desktop. I found that my Antivirus had not yet loaded during windows startup. I was cautious about the virus so instantly i uninstalled my Filezilla software which i often use to upload files to my webserver where marketcalls and few more of my domains had hosted there.
At 6.00a.m(Approx)I started the anitvirus. It reads the virus and also informed that my Windows firewall had been deactivated. So I tried to activate my Windows Firewall. I opened the Windows Firewall Security settings from the control panel and noticed that it is different from the usual with few more buttons like check for malware,Detect Spam..etc. My brother insisted me not to do anything with the PC right now until he reinstall the Windows OS. But i am curious about check my PC for malware. When i click the “Check for Malware ” button in the Windows Firewall Settings the next moment my system got crashed.
My brother instantly reacted to the attack. He reinstalled the PC with Windows XP in next half and hour and once again shouted me again not to touch the desktop until all the things got settle(Until he installs all the essential security softwares) and not even to touch his laptop. I lost all my database required for Amibroker which i stored in my local drive. We both left the house(my brother went to college and i went to my office)
Around 4p.m-5.00p.m i got few call from my readers and guest post authors that my site is blank with the following error
“Parse error: syntax error, unexpected ‘<' in /home/public_html/marketcalls.in/wp-includes/default-filters.php on line 230"
At the first time i thought that my wordpress site would be crashed. But later realised that my other wordpress hosted sites too gone down. Iam really confused. “How three site will go down in a one single go”. So I logged into statcounter to check for the last visit in my page. The page shows last visit to my page happened at 10.00a.m. It means that my website is down from the friday morning. I also got call from one of my friend that his wordpress also facing similar problem right from 12.00p.m.
I did some search about this wordpress crash in few web forums. Some one said that it is a code injection attack. And some pages reads that wordpress had crashed simply. I believed that at first sight i believed that my wordpress would be crashed because it is such a secure one and the password are difficult the crack. But I hadnt realised that the problem is not the passwords. I told my brother that all the three blogs got crashed. He got antonished and said that he will install the Bit Defender before iam getting engaged with my blog work once again.
When i came to my home my brother installed my PC with necessary security settings. I downloaded the standard wordpress package from wordpress.org and tried to repace the crashed wp-include folder. My site got restored the next moment i replaced the wp-include folder in the Web-server
The next day in the morning i had seen that when iam trying to open my home page in my chrome brower it throws the warning that malware has been attacked in this blog.This virus infected in my blog is not related to the host, but its related to client side malware.
I correlated the events that happened in the saturday morning that some how the virus/trojan could stole my FTP password which i use to login to my Webserver. This malware gets the ftp details from the session, connects the site you last connected through ftp, downloads index.* (index.html, index.htm, index.php, index.aspx etc), inserts the iframe code and finally uploads back to the server. So I checked my html source code from the browser window. It shows that some different encryted code using base64 algorithm appended below the < /html> tag
So the only solution is delete all the files and reinstall the wordpress once again freshly in the webserver. Simply done that. And after than changed my PC Password, FTP Password, Marketcalls admin password, username and also done the security guidelines for hardening the wordpress installation and make it hackproof by closing all the security loopholes.
Read the following links if you hold a self hosted wordpress account just like me
Iframe Injection Attack
Now everything is fine now an still monitoring my blog and kept a very close watch on that.