It appears that I’ve plugged the leak that was causing this blog to be hacked. I hope.
\n
\nIt began on Friday morning, when I received an email from “Linuxlove” who wrote:<\/p>\n
Tried going to your blog to read the latest Wambooli news but all of the Wambooli blog is cut off by AVG which claims that your blog has a virus “JS\/Downloader.Agent”.<\/p><\/blockquote>\n
And it did! I dumped the raw version of the blog’s homepage and saw the telltale signs of the JS\/Downloader.<\/p>\n
JS\/Downloader is a chunk of Javascript code that’s encrypted, appearing as several lines of hexadecimal numbers or sometimes a long string of values. Then there are a few lines to process that code.<\/p>\n
The processed code becomes HTML instructions that redirects the page to somewhere else on the Internet. Somewhere nasty.<\/p>\n
There were also about 250 links added with the hack, invisible links, links that went out to various pirate sites for downloading movies.<\/p>\n
I use WordPress for my blog, though I’ve customized it somewhat. I saw that the JS\/Downloader was installed in the Header file, so it was easy to remove the malicious code.<\/p>\n
Friday evening, however, the JS\/Downloader script was re-installed. I removed it again and took a more serious look at what could be causing it.<\/p>\n
The first thing I noticed was that two users on the blog had been promoted to Administrator status. They were probably bots, but who knows? I deleted the users and the problems have stopped. So far.<\/p>\n
I’ve also changed all the passwords used by the site, as well as the site’s security keys. The only further step I can take should the attack repeat itself, is to re-install all the software from a fresh version. I am poised to do that should another attack happen \u2014 especially because I have no ideas how the users were able to gain administrator access. It might be an exploit that’s still vulnerable.<\/p>\n