Summary: I was hacked last Saturday night. My nine sites went down. Three days later, everything’s back in order but it was no fun. I hope it never happens to you, but just in case, I’ll document the blow-by-blow below. In the end, an online service called Sucuri put things back in order.
First thing Sunday morning, I dropped in at the Internet Time Alliance water cooler on Skype. Jane had posted a warning that my sites had been hacked in the night.
Google issues alerts like this to warn visitors of malicious sites. I began to get nervous.
I called BlueHost, my ISP. They had backed up my sites around midnight. I asked them to restore everything from the backup. Alas, the hackers had broken in earlier, so the back-up was ridden with malware, too.
BlueHost has been a great ISP. They offer all kinds of services and nearly unlimited storage for $10/month. They answer the phone! They are generally very helpful. When I called them back, however, all they could offer were a few pages of general anti-malware advice and the suggestion that I look through my directories for suspicious files. Hmmm. I’ve been online for years. I maintain more than a dozen sites. I have about 28 gigabytes of material in some 90,000 files. Too much to eyeball.
My associate Paul Simbeck-Hampson got on the case, feeding me information on malware he found on the net. I was frantically scanning files on jaycross.com and internettime.com, the sites that seems to be generating the error messages. Needles in haystacks. This was going nowhere.
I didn’t know what else to do at this point. Sucuri offers a fix-it package for $89 for one site. I had nine sites I wanted to keep. Hence, I signed up for their $290 business deal. I’m glad I did.
Around 3:00 pm, I submitted a Malware Removal support ticket at Sucuri. They emailed me that I need to complete one ticket per site. Half an hour later, they notified me that I had given them a bad FTP password. I didn’t see the notice until 24 hours later. Half an hour after that, Sucuri was cleaning malware out of the sites and locating obsolete installations of WordPress on my site.
The next day, Sucuri started emailing that this site or that one was free of malware. However, a few of the sites gave me 500 Server Errors or would not let me log in. Sucuri went back to work, looking at file permissions and so on.
The Google alert notices were still up. In fact they were proliferating. Sites that linked to internettime.com were receiving warnings. My Gmail stopped functioning because it was connected to internettime.com. My wiki was quarantined. I pinged Google to re-check the health of my sites. Then I discovered that it generally takes 10 hours after a site is pristine for Google to take down the warning.
Supposedly, everything is back in working order now. I’ve followed Sucuri’s advice for preventing this in the future.
I’ve spent the better part of three days clearing obsolete material from my sites and looking for prank code. Miraculously, I found a rogue script that had been injected into a .php file and quashed it. Most of the time I felt like I was playing a game in which I only knew half the rules. I was nervous that I’d lose huge swaths of material that I should have backed up — but hadn’t. These three days have been among the least productive of my life. Malshare got all my mindshare.
How did the bad guys get in? I’ll never know. It could have been one of the obsolete versions of WordPress I’d forgotten about. Or a rogue script we’d brought in to handle contact requests. Or a file with the wrong permissions. Heaven only knows.
One site remains off the air. When I try to update a couple of others, I receive Server errors. These are minor annoyances compared to what’s been happening.
I am so glad this nightmare is over.
I’ll be keeping my WordPress installs and extensions up to date from now on.
I recommend Sucuri for dealing with malware. All our correspondence has been through trouble tickets and email but they have been quite responsive.
It ain’t over til it’s over.
I just discovered a that the Plug-In that enabled people to share or +1 posts was compromised. It posted legitimate-looking notices to Facebook and Twitter but the short-links went to ad-spam sites.
Has the plug-in developer and/or WordPress been notified? (I expect they have, which is how you found out, but it’s important that they know so it gets fixed or pulled).
I’ve seen WordPress themes full of spam links, too. They weren’t visible on the site, but were placed in HTML comments, presumably for SEO purposes.
Sadly, this saga continues. I just left this message for Sucuri:
“Bluehost temporarily suspended all of my sites for hosting malware about half an hour ago. They found malicious scripts on several of the sites you just told me were clean.
I got through to the Bluehost Terms of Service team who were kind enough to help me delete the bad files and restore my sites.
I examined the files and found that they did contain malicious scripts. How could you tell me the sites were okay? Specifically, you wrote that “Your site is now clean and malware-free. We have also submitted the site for Google blacklist status review.”
You were wrong, and I’d like an explanation.”
Things have been quiet for three days now. No malware flags. I think what happened last week is that the bad guys returned after Sucuri had cleaned house and re-infected a number of files.
I had an abandoned blog still back on WordPress 2.9.1, a version that’s known to have security problems. Whenever I pressed the Update button, it informed me I had the latest version. Well, I didn’t.
Now every piece of software on my sites is 100% up to date. All passwords have been changed. My fingers are crossed that I can be at peace for a while.
Sounds familiar…… I could have written that exact same post. And I just had another issue this morning, strange thing… my issue happened right around the same time as yours…. are you thinking of switching from bluehost? Sucuri has been awesome so far.