Shoutout to 3rd Bass because I want to give the Gas Face to the cybercriminals behind the recent mass attack crippling more than 200,000 pages on over 30,000 unique Web sites, including mine.
Malware, short for malicious software, is software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems. While it is sometimes software, it can also appear in the form of script or code. Malware is a general term used to describe any kind of software or code specifically designed to exploit a computer, or the data it contains, without consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software. – Wikipedia
I hate malware. I respect hackers, as I used to be one myself, but the intentional crippling of software systems with no regard to consequences isn’t a morally defensible position. That said, it is a reality that if you are deciding to host a website, either hosted yourself, or on someone else’s server…you are going to have to deal with malware, both proactively & re-actively. So in regards to my own websites, as well as the ones I manage for my clients, I have always taken the following two-pronged position:
- Being proactive means doing the best you can to make sure your sites are not open to brute force attacks, using smart passwords, etc. A good metaphor is locking the door before you leave the house.
- In the case of an intrusion, keep regular backups in multiple places. Then, if ever infected, change all passwords (databases included), delete everything and restore from a previous backup. Following the metaphor, this is like burning anything left in the house, changing the locks, and then buying all new stuff.
This strategy has served me well since 95, when I built my first website.
I had my first problem with a compromised website 3-4 years ago, and relatively problem free since. Well until January 28th, 2012.
We had been hit, along with thousands of others, in a mass intrusion attack focused upon WordPress. Not all of the sites we host use WordPress, but many do. All of the ones that do, were hit hard. I immediately went into action, changed all the locks, burned all the stuff, and refilled the houses. Within 24 hours all the sites were infected again.
I immediately could tell that this was not going to be a good week.
I then re-executed the above plan, as well as a host of other-worldly ninja acrobatics designed to take security measures even further. Again, 24 hours later, all the sites were infected again.
Two days shot to heck. Now its time to get serious.
The next thing I tried was to nuke the entire server, ie the technical infrastructure upon which the sites operate (in terms of our metaphor – the neighborhood). Once the fireball dissipated, then I built a new neighborhood in its place complete with new houses, stocked full with all new stuff inside. Now…that had to solve the problem.
The next two weeks
At this point, I felt like a professional Sim City strategist building & rebuilding sections…and yet it hasn’t done any good. I’ve demolished entire city blocks trying to eradicate the source of this infestation…and yet I haven’t been able to figure out where its coming from. I then took a fine-toothed comb and start working my way through the rubble…looking for signs of sabotage. As I did clean sites, one at a time, I would bring them back online. I found out that rebuilding sites from the rubble, while checking the code individually was doing two things: showing me that there wasn’t anything wrong with the individual sections of that code, while giving me a new depth of insight into the inner workings of WordPress. Most importantly…the sites were staying clean. After about a week of this, I found how the malware was getting into the sites. Then I had to figure out how to stop future attempts at co-opting my server.
By then, I was fairly confident I had eradicated this infestation. I learned a lot over those three weeks, and I’m glad to be able to say that most of my clients never even knew there was a problem, much less felt the pain I was going through on their behalf. So if you have a WordPress site, and are having problems figuring out how to get your site clean & safe…give me a call. And if you are one of the cyberthugs responsible for this attack, punch yourself in the face. Really.