That’s a scary message, right?
I received a frantic message from a client who self-hosts several websites. Google and other browsers would show a scary malware warning to the user when trying to reach the websites. It took some time to search for clues and identify suspicious code. Luckily there were many backups so I was able to pull clean versions to reinstall, ran some checks, then signaled Google and other security sites to rescan and give the all clear signal. Funny thing was the problem would occur again within a few days. So I’d examine all the code, go thru the restoration process, etc. And the warning happened yet again!
At least now I know now that I’m not crazy. I kept cleaning up corrupted files and the problem would reappear. Turns out there’s a new scary malware hack that is infecting and re-infecting websites. Worse there’s a ransomware component that some unlucky victims may have to pay to hopefully recover all their content.
This particular malware tries to infect all accessible .js files. This means that if you host several domains on the same hosting account all of them will be infected via a concept known as cross-site contamination.
For this client, I’ve patched everything and I’m watching for signs of re-infection. There’s no definitive solution yet other than patching, securing and monitoring. No one has determined what is allowing this to happen, could be WordPress files, a poorly written plugin, a poorly coded theme, a hosting server vulnerability — could be a combination of things.
A Content Management System like WordPress is intended to make it easier to create and manage a website. Unfortunately it has become so popular that it is continuously targeted for exploits.
It’s so friggin frustrating how stupid nonsense like this makes life hard for us ordinary folk — it’s always the small business owners that suffer the most from this stupid behavior.
Typically, the clients that I provide managed web hosting for, I set them all up on separate servers as a precaution to prevent this kind of cross contamination. Patching, ongoing backups and daily scans seem to keep those sites clean (knock on wood).
Why did this happen? What can I do?
I’ve previously outlined what you should do if your website was hacked. This video from Google also may be helpful. (Fast forward to 1 min 45 seconds.)
Hope that’s helpful. Keep your fingers crossed this nonsense doesn’t happen to you.
-Roland
Reference:
- https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html
- http://arstechnica.com/security/2016/02/mysterious-spike-in-wordpress-hacks-silently-delivers-ransomware-to-visitors/
- http://www.theregister.co.uk/2016/02/03/wordpress_javascript_malware_attack/
- https://securityintelligence.com/news/teslacrypt-ransomware-targets-wordpress-sites/
Also you can use security plugins "wordfence" for example
Hey Ronald thanks for the great article. I know what it feels like to have my WordPress site infected with malware. This is a very helpless feeling to say the least. I appreciate you article but I have seen that if I keep my sites updated constantly then I haven't had any problems with malware. Also I think its very important to not use the "admin" user name and have a very hard password. Thank you – John