Elly Williams' Weblog

Caught Between Industries

Gootloader infection cleaned up

Dear blog owner and visitors,

This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 292 malicious pages. Your blogged served up malware to 19 visitors.

I tried my best to clean up the infection, but I would do the following:

  • Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
  • Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
  • Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
  • Verify all users are valid (in case the attackers left a backup account, to get back in)
  • Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
  • Run antivirus scans on your server
  • Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
  • Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
  • Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
    and Wordfence Security, all do some level of detection, but not 100% guaranteed
  • Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
  • Check subdomains, to see if they were infected as well
  • Check file permissions

Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.

Sincerly,

The Internet Janitor

Below are some links to research/further explaination on Gootloader:

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://www.richinfante.com/2020/04/12/reverse-engineering-dolly-wordpress-malware

https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html

This message

Validation and Reliance on Third Parties

So, I have a slight problem getting my site to validate at the moment, which I’d appreciate some help figuring out. It goes something like this:

  • WordPress produces XHTML
  • Therefore, this site has a lot of XHTML in it that I can’t control (my php skills are not up to editing anything server-side)
  • del.icio.us automatically posts my link entries as HTML (minus the eX)
  • Therefore, this site also has a lot of HTML in it that I can’t control
  • Some of the XHTML won’t validate as HTML and some of the HTML won;t validate as XHTML
  • Therefore, my site doesn’t validate.

So, I guess my problem is

  • How much does it matter?
  • How much do I care?
  • Can I do anything about it either way?

links for 2007-04-16

Vitruvian Web Design

Somewhere around 25 BC Marcus Vitruvius Pollio wrote his “Ten Books on Architecture”. The most enduring quote from this work (one that architecture/architectural history students all learn fairly early on) is that:

“Well building hath three conditions: firmness, commodity, and delight.”

That is to say, good architecture

  1. must be strong and durable (firmness)
  2. must fulfill a purpose (commodity)
  3. must be beautiful (delight)

According to Vitruvius, any structure that does not meet these basic criteria isn’t architecture – it might be sculpture (if it is beautiful but not useful), it might be some form of utilitarian construction (if it is useful but not beautiful), it might be many other things, but it is not architecture.

Of course, in the past 2000 years many building styles and techniques have come and gone and what constitutes “architecture” may look very different, but these three principles stand regardless of the technology.

Web Design hasn’t been around as long as Architecture, and although the technology is moving fast, we often don’t have the critical distance for any kind of historical/theoretical analysis. But, in this case there’s no need to reinvent. Web Design can also make use of these three conditions.

Regardless of the technology that you use to deliver your websites, if it isn’t stable and future proof then it is lacking ‘firmness’. If a website fulfills no purpose then it is essentially just sculpture. And if your website doesn’t have some positive aesthetic qualities, perhaps, as in architecture, we should say that it is not Web Design.

Refactor, Refurbish, Relocate.

It’s been two and a half years since I last made any significant changes to the look of this place, and seeing as the backend has changed since then and I’ve now switched my domains over, I figured it was time I built something a little more custom.

I’ve kept quite a bit of the branding – the daisy and the shade of orange are the same, but I’ve gone for something much bolder and cleaner – mostly in the look-and-feel but I’ve tidied up ‘under-the-hood’ too.

I also finally got around to adding myself an hCard, which I’ve been meaning to do for at least a year.

Anyway, I’m pretty sure everything’s working the way it should, but if not shout out in the comments.

Welcome to the New Domain

Just in the process of moving things over to the new domain. If anything’s hinky, please shout out in the comments!

links for 2007-03-30

links for 2007-03-29

links for 2007-03-24

Background Noise

So, there’s something that I’ve noticed about Twitter:-

To all those people who wonder if the constant stream of other-people’s-consciousness is distracting, the answer is – not really, until it goes away.

I’ve become used to the notifier in the bottom corner of my screen popping up from time to time, but increasingly TwitterIM is down and I find I have to go and manually check if everyone is still around.

Anyone else find this?

links for 2007-03-13

links for 2007-03-07

links for 2007-03-05

links for 2007-03-02

links for 2007-02-28

is an Architecture Student and Web Designer based in Newcastle-upon-Tyne, (UK)