So where the hell have I been for the past week and a half? Busy, that’s what.
Aside from spending a lot of time exercising and holding viewings for my condo which is on the market, I was hit was a pretty bad virus close to 2 weeks ago, as the title suggests.
This was not a virus of the medical nature, but rather a virus on my computer and websites. I would have probably preferred the former after all the work I had to do.
It all started on March 19th. I had done a little bit of work during the day, and then went to take a TV break. When I returned to visit my blog, I noticed that it was down and replaced with a one-line error. I wasn’t too phased by this as I figured it was just a bug with one of the plugins or something. However, the more I looked into the issue, the more dirt I found.
But when I replaced the affected files, my blog was still showing signs of illness. I then noticed that it had also infected my .js files. This caused me a bit of concern as previously such injection exploits usually only targeted my actual posts – only being able to inject itself inside my blog’s MySQL database.
Having patched up the major occurrences of the damage – my blog was functioning 99% as normal – I left my computer to go see a friend. The next day, I saw several e-mails from visitors of my various websites saying that they were getting warnings from their anti-virus programs that my sites contained trojans and viruses. Damn.
Other sites of mine were simply completely broken. While the virus had simply appended itself to the end of many files, it had also completely overwritten some .js files, which explained why some of my sites were completely broken or buggy.
This would have been no big deal if I only ran a couple sites, or even 4 or 5, but I have around 50 websites! Not domains – websites. And some of them are quite large and complex, making fixing them very time consuming and a huge pain.
Simply put, my whole network of sites were basically hacked with an automated virus.
The worst part though, was not that my sites were buggy or completely broken in many cases. It was the fact that my visitors were getting warnings that my sites were malicious and contained trojans and viruses. While many visitors can correctly assume that this was due to a temporary hack of some kind, some visitors are so scared that they simply leave as fast as they can and don’t return.
While most of my traffic has returned to normal levels, I have noticed a bit of a drop in traffic on my movie forum. I plan on sending a newsletter out soon to explain what happened and to try to get those who fled to return.
How It Happened
Around 3 weeks ago, I discovered than I had a virus on my computer. It was a particularly bad one which really messed up my computer (it wouldn’t let me run any executables, for example).
I managed to open my browser to send my friend (and ex-programmer) Zeeshan an e-mail asking for help. Fortunately, he popped on MSN soon thereafter and then connected to my PC via TeamViewer to fix it for me. Zeeshan is a computer guru when it comes to security and anything technical (he has a Masters in Computer Science), and has fixed my computer several times before, so I was confident that he could help me again.
After 30 minutes or so, he managed to fix it for me and I was once again able to run my programs. Life went on fine, until about a week later when I noticed all my sites had been ‘hacked’. I had ran a scan of AdAware on my computer to make sure it was clean after Zeeshan fixed it, but it came up empty. However, I downloaded another anti-virus program and it found around 14 highly malicious trojans and viruses on my computer!
I put 2 and 2 together, and realized what happened. My PC was infected with a bunch of nasty viruses and trojans, one of which automatically logged into my SmartFTP program and then transferred itself to all of my websites. Since SmartFTP stores past login sessions within the program, the virus was able to connect to all of my sites.
It’s funny. We all take precautions to secure our servers, choosing good passwords and keeping software up to date and well-coded, but are often less diligent in keeping our home computers secure as we don’t always think of the direct relationship between the two.
While I password-protect all of my important documents and always make sure I am on a SSL connection when entering my credit card information or doing anything as important as that, I never thought of the possibility of getting a virus which would log into my FTP client in order to grab stored session data. It just never crossed my mind.
Anyhow, that’s how it happened – I got a virus on my PC (which I think I got from downloading music to listen to while exercising for my weight loss challenge) which then transferred itself to all of my sites by using the stored sessions in my FTP client.
After finding out all my sites were infected, I set up triage and focused on fixing my biggest sites first.
After I got them up and running to a decent degree, I then spent a long time removing all instances of the virus I could find. But with around 50 sites, this proved to be much too time consuming and frustrating, so I asked for help from my host, HostGator.
Their security team was great in helping me out, and ended up fixing all the rest of my sites for me, completely wiping out all instances of the virus. It helped that I had the foresight to set up daily, weekly, and monthly CRON backup jobs
HostGator is just such a great company and has pretty much as perfect support as you could ever wish for (no exaggeration). In fact, I think that switching to HostGator was the best decision I made in 2009. If you’re looking for a host or are unhappy with your current one, I highly recommend them.
Before fixing my sites, the security team at HostGator provided me with a list of things I should do in order to clean my computer. Below are steps 1 and 2, which ended up finding and cleaning the viruses and trojans on my computer that AdAware simply had no idea about:
Here is a list of steps that you can take to ensure your sites remain secure:
1. Use the following online vulnerability scanner and ensure your software is up-to-date: http://secunia.com/vulnerability_scanning/online/?task=load
2. Download anti-virus and fully scan your PC for malicious files. Here are some free online scanners for Windows, which is typically the most vulnerable to infection. If you have a different OS, there are similar programs that can be located and run on your system to protect it in the same way:
- MalwareBytes (http://www.malwarebytes.org/) and
- ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) have been reported to be able to clean a recent strain of malware that resists detection by almost all other anti-virus agents. It is highly suggested that you one or both of them and one of the following:
I highly recommend for everyone to run #1 right now. I did, and I had completely forgotten that I had disabled Windows Update 6 months ago (as I was sick of it constantly wanting me to update and then reboot my computer) when I saw that I had a ton of Windows Updates (including many security patches) to upgrade to.
It also found many other out-of-date software updates on my computer, including easy access to the free links to upgrade them.
I also downloaded and ran MalwareBytes, which I recommend as well, as it was able to find those 14 viruses and trojans on my computer that AdAware simply had no idea about. All those links are free scanners that will scan and clean your computer of any viruses or trojans.
Moral of the Story
I think that there are two main lessons to be learned here:
1. Keep Your Computer Secure
Regularly scan your computer for viruses and trojans, preferably using 2 different programs as a failsafe, and keep your software (especially your OS) up to date as there are constantly security exploits that are being discovered.
A hacked computer doesn’t just mean the possible wiping out of your PC’s data anymore – it can include all of your websites (not to mention the stealing of credit card numbers and banking information).
2. Back Up! Back Up! Back Up!
One of the most important things you can do as a website owner is to have regular backups made of all of your sites. Set your server up so that you have daily, weekly, and monthly backups made automatically, and then download some of those onto your PC or onto another off-site server once in a while as well, just in case something happens to your server.
I can’t tell you how many times I’ve had to rely on my backups in order to completely restore my websites. This is not to be understated: backing up is absolutely crucial.