Mar 10 2022

Gootloader infection cleaned up

Dear blog owner and visitors,

This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 378 malicious pages. Your blogged served up malware to 7556 visitors.

I tried my best to clean up the infection, but I would do the following:

  • Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
  • Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
  • Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
  • Verify all users are valid (in case the attackers left a backup account, to get back in)
  • Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
  • Run antivirus scans on your server
  • Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
  • Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
  • Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
    and Wordfence Security, all do some level of detection, but not 100% guaranteed
  • Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
  • Check subdomains, to see if they were infected as well
  • Check file permissions

Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.

Sincerly,

The Internet Janitor

Below are some links to research/further explaination on Gootloader:

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://www.richinfante.com/2020/04/12/reverse-engineering-dolly-wordpress-malware

https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html

This message


May 6 2010

30 Days Begins

Just to set up the story a little bit:  I moved out of my house near San Francisco’s “famous” Haight-Ashbury district at the end of March, and recently put my deposit down on a new and amazing live-work spot in the Mission district which I’ll be using as a photo studio.  Problem is, I don’t move into my new place until the beginning of June.  So, I spent the month of April driving my lovely girlfriend Liz totally nuts by living at her place out in the east bay, so I bought some train tickets:

For $580, I can take twelve trains all over the country for a month.  There is a little bit more to it than that…  the restrictions come from the way Amtrak schedules trains and not from any fine print, but I’m sure I’ll talk about that in another post.

Starting from Oakland, I’m taking a train down the coast (the Coast Starlight) to Los Angeles, stick around for a couple of days, and then board a train to San Antonio, Texas.  I’m bumming a ride to Austin with my friend Nicole, where I’ll spend the weekend, and then hopping on a train from Austin back to San Antonio on Monday evening, where I’ll meet a train to New Orleans.  I’ll be in New Orleans for almost a week, and then I’m off to Washington, DC.  From DC, it’s New York City, Boston, Chicago, Detroit, back to Chicago, then all the way across the top of the country to Seattle, down to Portland, and finally, a leg back to Jack London Square in Oakland.

Hard time visualizing? I drew on one of Amtrak’s rail maps with the brush tool in Photoshop:

The colors roughly represent what week I’ll be where, but I don’t have seats booked after I get to New York City.

What’s the goal of this project?  I wish I had a deeper meaning thought out, but for the most part, it’s because I can.  I don’t have to pay rent for the month, so I can afford to do this.  I’m a full-time professional photographer, so I can justify it.  Half the pins in that map I’ve never been to, and I’d like to fix that.  I’m also preserving Liz’s sanity so she can fervently watch the hockey playoffs without my constantly asking her what’s happening.

At the end of the trip, I’ll have a glut of images that I’ll do a few things with.  The more commercial images I’ll submit to my stock agency, Getty Images, or Getty’s microstock subsidiary, iStockPhoto, because ultimately they pay my rent and my bills.  (Those links go to my portfolios on the respective sites for those curious)  The more artistic and documentary images I’ll save for a likely art show and/or book.

Everything else I’ll figure out as I go along!