27
Feb 22

Gootloader infection cleaned up

Dear blog owner and visitors,

This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 297 malicious pages. Your blogged served up malware to 19 visitors.

I tried my best to clean up the infection, but I would do the following:

  • Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
  • Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
  • Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
  • Verify all users are valid (in case the attackers left a backup account, to get back in)
  • Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
  • Run antivirus scans on your server
  • Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
  • Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
  • Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
    and Wordfence Security, all do some level of detection, but not 100% guaranteed
  • Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
  • Check subdomains, to see if they were infected as well
  • Check file permissions

Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.

Sincerly,

The Internet Janitor

Below are some links to research/further explaination on Gootloader:

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://www.richinfante.com/2020/04/12/reverse-engineering-dolly-wordpress-malware

https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html

This message


19
Feb 21

Indy dog toy


11
Nov 20

I learned not to feed the trolls 20 years ago, but some days it’s hard. Thank you @GovMikeDeWine for continuing the mask order. When these folks have a loved one die, or survive but have terrible lingering health problems, they will hopefully understand. Stay strong for Ohio.



from Twitter https://twitter.com/fleep

November 11, 2020 at 07:35PM
via IFTTT


11
Nov 20

In memory of my grandfather and with thanks to all veterans today. https://t.co/6QCGLXnpBS



from Twitter https://twitter.com/fleep

November 11, 2020 at 07:22PM
via IFTTT


11
Nov 20

Xenophobic. 😭 https://t.co/cd8exk6P7N



from Twitter https://twitter.com/fleep

November 11, 2020 at 03:06AM
via IFTTT


09
Sep 20

I just backed Attack Surface: audiobook for the third Little Brother book on @Kickstarter https://t.co/avjng2BU0T



from Twitter https://twitter.com/fleep

September 09, 2020 at 07:59AM
via IFTTT


09
Sep 20

“Do not rely on a forwarded Facebook page. Go and investigate the source if you think it sounds too good. It just requires a few extra clicks. Protecting the country’s democracy is worth the effort.” https://t.co/NgkqcPIfWt



from Twitter https://twitter.com/fleep

September 09, 2020 at 07:37AM
via IFTTT


30
Aug 20

Hey @twitter STOP CHANGING MY PREFERENCE, I ALWAYS WANT TO SEE THE LATEST TWEETS. Jeez. Sorry for yelling.



from Twitter https://twitter.com/fleep

August 30, 2020 at 09:04AM
via IFTTT


18
Aug 20

“Research shows that nearly 20 percent of US college and university students lack a reliable device or service with which to access the internet..” https://t.co/L0VwBIrqAq



from Twitter https://twitter.com/fleep

August 18, 2020 at 01:12PM
via IFTTT


08
Jul 20

☹☹☹☹☹☹☹☹☹ https://t.co/AjK3PwyMhL



from Twitter https://twitter.com/fleep

July 08, 2020 at 11:10AM
via IFTTT