On thursay Evening i came to my house at 6.00P.M and browsed some financial pages. I am really so tired and slept while browsing. When i woke up at 9.00p.m my brother shouted at me that our desktop pc got attacked by some virus(Bit Defender Antivirus detects the virus.. Still now iam not aware about the virus name)and insisted me to use his laptop and told me not to use the desktop until he reinstalls the Windows operating system.
The Next day at 5.45a.m in the morning i found that my brother is working for his college seminar in his laptop. So I am thinking about starting my desktop. I found that my Antivirus had not yet loaded during windows startup. I was cautious about the virus so instantly i uninstalled my Filezilla software which i often use to upload files to my webserver where marketcalls and few more of my domains had hosted there.
At 6.00a.m(Approx)I started the anitvirus. It reads the virus and also informed that my Windows firewall had been deactivated. So I tried to activate my Windows Firewall. I opened the Windows Firewall Security settings from the control panel and noticed that it is different from the usual with few more buttons like check for malware,Detect Spam..etc. My brother insisted me not to do anything with the PC right now until he reinstall the Windows OS. But i am curious about check my PC for malware. When i click the “Check for Malware ” button in the Windows Firewall Settings the next moment my system got crashed.
My brother instantly reacted to the attack. He reinstalled the PC with Windows XP in next half and hour and once again shouted me again not to touch the desktop until all the things got settle(Until he installs all the essential security softwares) and not even to touch his laptop. I lost all my database required for Amibroker which i stored in my local drive. We both left the house(my brother went to college and i went to my office)
Around 4p.m-5.00p.m i got few call from my readers and guest post authors that my site is blank with the following error
“Parse error: syntax error, unexpected ‘<' in /home/public_html/marketcalls.in/wp-includes/default-filters.php on line 230"
At the first time i thought that my wordpress site would be crashed. But later realised that my other wordpress hosted sites too gone down. Iam really confused. “How three site will go down in a one single go”. So I logged into statcounter to check for the last visit in my page. The page shows last visit to my page happened at 10.00a.m. It means that my website is down from the friday morning. I also got call from one of my friend that his wordpress also facing similar problem right from 12.00p.m.
I did some search about this wordpress crash in few web forums. Some one said that it is a code injection attack. And some pages reads that wordpress had crashed simply. I believed that at first sight i believed that my wordpress would be crashed because it is such a secure one and the password are difficult the crack. But I hadnt realised that the problem is not the passwords. I told my brother that all the three blogs got crashed. He got antonished and said that he will install the Bit Defender before iam getting engaged with my blog work once again.
When i came to my home my brother installed my PC with necessary security settings. I downloaded the standard wordpress package from wordpress.org and tried to repace the crashed wp-include folder. My site got restored the next moment i replaced the wp-include folder in the Web-server
The next day in the morning i had seen that when iam trying to open my home page in my chrome brower it throws the warning that malware has been attacked in this blog.This virus infected in my blog is not related to the host, but its related to client side malware.
I correlated the events that happened in the saturday morning that some how the virus/trojan could stole my FTP password which i use to login to my Webserver. This malware gets the ftp details from the session, connects the site you last connected through ftp, downloads index.* (index.html, index.htm, index.php, index.aspx etc), inserts the iframe code and finally uploads back to the server. So I checked my html source code from the browser window. It shows that some different encryted code using base64 algorithm appended below the < /html> tag
So the only solution is delete all the files and reinstall the wordpress once again freshly in the webserver. Simply done that. And after than changed my PC Password, FTP Password, Marketcalls admin password, username and also done the security guidelines for hardening the wordpress installation and make it hackproof by closing all the security loopholes.
Read the following links if you hold a self hosted wordpress account just like me
Iframe Injection Attack
11 Ways To Secure Your WordPress Blog
Did your WordPress site get hacked?
Now everything is fine now an still monitoring my blog and kept a very close watch on that.
15 Replies to “How my wordpress blog got attacked and restored”
Thats a long list of troubles that you faced.. Although I started blogging with word press..but this hosting stuff I couldn’t understand so shifted to blogger…
There is this debate all over the internet whether Word press is better or blogger..and mostly people conclude that word press is a better platform…as it offer better customization(I have no idea about how that is done..as my knowledge about this host stuff is zero)
Can the same thing happen to my blogger hosted blog….Is blogger more safe as the content is host by Google?…
So if there is a virus in my PC can it go to my blog …and then go to other PC around the world ?
If yes…how can this be prevented…
Just enjoy your weekend and relax…you can answer my questions when ever you find time…In the meanwhile I will check your related links
RAJENDARAN REALLY YOU DONE SUPERB WORK…I SALUTE YOUR ATTITUDE TOWARDS YOUR WORK.. .
The first thing to understand about WordPress is that there are 2 different versions. The first version would be the free, shared-hosting version at wordpress.com with doesnt supports google adsense. This is usually the easiest option to get up & running in just a few minutes. The second version is self-hosted and available as a download from wordpress.org. For this version you’d need to purchase your own web hosting space. WordPress’ free, shared-hosting version is much better in terms of SEO than Blogger. Not only do blogs show up in WordPress’ high-traffic directory, popular tags are often listed in organic search results of Google & Yahoo! linking to the most recent/popular blogs using that tag. WordPress blog posts also tend to show up separately in organic search results more readily than Blogger or any other blogging platform.
Self-hosted Blogs: The Benefits
While many stray away from this option because of the perceived costs, hosting can cost as little as $7 a month. Not to mention, if you’ve already got your own commercial website then you’ve already got hosting! Many hosting providers such as Yahoo! already have the WordPress platform installed; you need only to activate it and choose your template to get started!
The only draw-back to creating a self-hosted blog is initial set-up. While you don’t have to be completely techy, it does help to know things like CSS. It also helps to know a bit about hosting & FTP clients in order to properly install the WordPress platform. Fortunately, there are plenty of tutorials out there that can teach you how to install WordPress into your hosting account, and plug-ins usually come with install instructions as well. If you’re willing to sit down for about 2 hours, you can successfully install a blog that’s fully equipped with SEO built in and ready for the web! And for those who don’t want to bother with the extra hassle of optimizing your blog for the search engines, there are plenty of programs which offer pre-optimized WordPress install packs with the proper plug-ins already incorporated. It may take more time to get up & running than the free, shared-hosting version, but the benefits are far greater!
My my wordpress case the trojan which attacks my PC could probaly stolen my FTP password which i used to login into my webserver and could try to download the index.php files in from my webserver and remodified those files with additional malicious codes in it. In other words it is a code injection attack.
If you find any of the blog’s view source code using your own brower and if you find any suspcious code below tag then there is a possibilities of malware to the cliend side system. i.e those who is viewing the site, the malicous code may either try to harm the visitor by throwing unwated virus into their system. These virus once again may try to explore for more FTP password and more security related issues. As per my knowledge Code Injection attack is very less intensity attack. Here peoples will be attacked if their PC’s are not properly protected.
Its not a threat to my webserver but for those who visiting the blog.
More over only Self hosted blogs and websites. In case of Blogger Blogs or shared hosted blogs its considered to be more secure as google and wordpress people takes more care in scanning their own system. There is a possibilites of such threats only if the blog owner injects the code in his own blog or else if your blogger password account got stolen from you.. this type of threat could happen.
Whatever…. I feel secured now…. Let see Still Iam not closing my eyes now .Just constantly monitoring the issue
Also check this out – http://www.pcworld.com/article/192000/bad_bitdefender_update_clobbers_windows_pcs.html?tk=rss_news
Awesome man ………….
Thanks for the info sri.But if you search for this keyword in google
wp-includes/default-filters.php on line 230″ you could find tons of code injected sites malicious sites
In such a sites if a visitor see the message “This site may harm your computer” pop up when (s)he try to access your website/blog, (s)he may not return again. Remember that if the security of your website is compromised, it can affect the search engine rankings of the website. Besides, it may pave way for more sophisticated attacks.
Google will mark your site in it’s search results with a warning: “This site may harm your computer”.
If there is any history of Malware/Trojan Affected sites in case of doubt you can verify it with Google Safe browsing.
replace the yoursite with the corresponding domain before safer browsing or else try with norton safeweb
Nice article on word press and blogger…that pretty much sums up everything I wanted to know about word press
I came across your blog a few days back in connection with Arthemia theme customization issue of one of my visitors. The next day I noticed an Iframe attack in your site and discussed about this with your friend. Any way it is happy to see that you have restored the site. Most of us are lazy to preserve the life saving medicine-backup.
Bit Defender had delivered a patch for the same
This is almost crazy! 😡
Yes, Bit defender accepted the faulty update and issued a patch for that.
In your case if it was a virus attack then very bad.
But if it was a false positive caused by the buggy update it is scary. The kind of software that can be pushed in via automatic updates…
Unfortunately my laptop also got affected by the virus. On saturday, i just opened your website and before i could read your warning about virus, my system also got infected. At the end i had to reformat it and lost all valuable data/files. Intensity of the virus is so severe that it disabled my antivirus software and all drives leaving with no option but to format the system. Any how, congrats for restoring your site.
Ravi,Sorry for the Inconveniance caused. I too last most of my data. Still recovering what i had lost
Thanks for the wonderful stock tips you give in your blog and on stockezy.
I am also using arthemia theme for my blog SFIhomebizz.com, hosted on godaddy and I use filezilla to upload my files. 1 week back I found that some malicious code with lots of numbers and alphabets, that was getting added in most of the php files. I could not find any answer for this on internet.
So, I simply removed malicious codes from all php files but next day the same code. After removing again the same code. After 3 times nothing more has happened. But just 1 hour back I tried to add a function to the functions.php which showed error like
Parse error: syntax error, unexpected ‘}’ in /home/content/67/5849767/html/wp-content/themes/arthemia/functions.php on line 10
so I removed the new function code and saved the file but amazingly error is still occuring and my blog on browsing is showing the same code.
Is there no other choice like software that checks the faulty code and corrects rather than to add arthemia theme freshly.
Looking for your sincere advice Rajandran. You can email me at [email protected] or the email address I am mentioning in the comment form.