I’m Back After a Nasty Virus

March 31, 2010 Posted by Tyler Cruz

So where the hell have I been for the past week and a half? Busy, that’s what.

Aside from spending a lot of time exercising and holding viewings for my condo which is on the market, I was hit was a pretty bad virus close to 2 weeks ago, as the title suggests.

This was not a virus of the medical nature, but rather a virus on my computer and websites. I would have probably preferred the former after all the work I had to do.

It all started on March 19th. I had done a little bit of work during the day, and then went to take a TV break. When I returned to visit my blog, I noticed that it was down and replaced with a one-line error. I wasn’t too phased by this as I figured it was just a bug with one of the plugins or something. However, the more I looked into the issue, the more dirt I found.

I knew that what was causing my blog to malfunction was the injection of a Javascript snippet at the end of my index.php page as well as several other vital PHP files. I’ve actually encountered things like this on my blog before, so it wasn’t too big a deal to me – I was sure that the malicious code was injected through some WordPress code or plugin exploit of some kind.

But when I replaced the affected files, my blog was still showing signs of illness. I then noticed that it had also infected my .js files. This caused me a bit of concern as previously such injection exploits usually only targeted my actual posts – only being able to inject itself inside my blog’s MySQL database.

Having patched up the major occurrences of the damage – my blog was functioning 99% as normal – I left my computer to go see a friend. The next day, I saw several e-mails from visitors of my various websites saying that they were getting warnings from their anti-virus programs that my sites contained trojans and viruses. Damn.

109

The Damage

I went to look at my network of sites, only to discover that all of them were infected with the same malicious Javascript that had plagued my blog.

Some of my sites were somewhat operable, in that most of the content was still viewable, but certain areas were broken such as most things that had anything to do with Javascript/AJAX.

Other sites of mine were simply completely broken. While the virus had simply appended itself to the end of many files, it had also completely overwritten some .js files, which explained why some of my sites were completely broken or buggy.

This would have been no big deal if I only ran a couple sites, or even 4 or 5, but I have around 50 websites! Not domains – websites. And some of them are quite large and complex, making fixing them very time consuming and a huge pain.

Simply put, my whole network of sites were basically hacked with an automated virus.

The worst part though, was not that my sites were buggy or completely broken in many cases. It was the fact that my visitors were getting warnings that my sites were malicious and contained trojans and viruses. While many visitors can correctly assume that this was due to a temporary hack of some kind, some visitors are so scared that they simply leave as fast as they can and don’t return.

While most of my traffic has returned to normal levels, I have noticed a bit of a drop in traffic on my movie forum. I plan on sending a newsletter out soon to explain what happened and to try to get those who fled to return.

How It Happened

Around 3 weeks ago, I discovered than I had a virus on my computer. It was a particularly bad one which really messed up my computer (it wouldn’t let me run any executables, for example).

I managed to open my browser to send my friend (and ex-programmer) Zeeshan an e-mail asking for help. Fortunately, he popped on MSN soon thereafter and then connected to my PC via TeamViewer to fix it for me. Zeeshan is a computer guru when it comes to security and anything technical (he has a Masters in Computer Science), and has fixed my computer several times before, so I was confident that he could help me again.

After 30 minutes or so, he managed to fix it for me and I was once again able to run my programs. Life went on fine, until about a week later when I noticed all my sites had been ‘hacked’. I had ran a scan of AdAware on my computer to make sure it was clean after Zeeshan fixed it, but it came up empty. However, I downloaded another anti-virus program and it found around 14 highly malicious trojans and viruses on my computer!

I put 2 and 2 together, and realized what happened. My PC was infected with a bunch of nasty viruses and trojans, one of which automatically logged into my SmartFTP program and then transferred itself to all of my websites. Since SmartFTP stores past login sessions within the program, the virus was able to connect to all of my sites.

It’s funny. We all take precautions to secure our servers, choosing good passwords and keeping software up to date and well-coded, but are often less diligent in keeping our home computers secure as we don’t always think of the direct relationship between the two.

While I password-protect all of my important documents and always make sure I am on a SSL connection when entering my credit card information or doing anything as important as that, I never thought of the possibility of getting a virus which would log into my FTP client in order to grab stored session data. It just never crossed my mind.

Anyhow, that’s how it happened – I got a virus on my PC (which I think I got from downloading music to listen to while exercising for my weight loss challenge) which then transferred itself to all of my sites by using the stored sessions in my FTP client.

 

108

The Clean-Up

After finding out all my sites were infected, I set up triage and focused on fixing my biggest sites first.

After I got them up and running to a decent degree, I then spent a long time removing all instances of the virus I could find. But with around 50 sites, this proved to be much too time consuming and frustrating, so I asked for help from my host, HostGator.

Their security team was great in helping me out, and ended up fixing all the rest of my sites for me, completely wiping out all instances of the virus. It helped that I had the foresight to set up daily, weekly, and monthly CRON backup jobs 🙂

HostGator is just such a great company and has pretty much as perfect support as you could ever wish for (no exaggeration). In fact, I think that switching to HostGator was the best decision I made in 2009. If you’re looking for a host or are unhappy with your current one, I highly recommend them.

Before fixing my sites, the security team at HostGator provided me with a list of things I should do in order to clean my computer. Below are steps 1 and 2, which ended up finding and cleaning the viruses and trojans on my computer that AdAware simply had no idea about:

Here is a list of steps that you can take to ensure your sites remain secure:

1. Use the following online vulnerability scanner and ensure your software is up-to-date: http://secunia.com/vulnerability_scanning/online/?task=load

2. Download anti-virus and fully scan your PC for malicious files. Here are some free online scanners for Windows, which is typically the most vulnerable to infection. If you have a different OS, there are similar programs that can be located and run on your system to protect it in the same way:

I highly recommend for everyone to run #1 right now. I did, and I had completely forgotten that I had disabled Windows Update 6 months ago (as I was sick of it constantly wanting me to update and then reboot my computer) when I saw that I had a ton of Windows Updates (including many security patches) to upgrade to.

It also found many other out-of-date software updates on my computer, including easy access to the free links to upgrade them.

I also downloaded and ran MalwareBytes, which I recommend as well, as it was able to find those 14 viruses and trojans on my computer that AdAware simply had no idea about. All those links are free scanners that will scan and clean your computer of any viruses or trojans.

Moral of the Story

I think that there are two main lessons to be learned here:

1. Keep Your Computer Secure

Regularly scan your computer for viruses and trojans, preferably using 2 different programs as a failsafe, and keep your software (especially your OS) up to date as there are constantly security exploits that are being discovered.

A hacked computer doesn’t just mean the possible wiping out of your PC’s data anymore – it can include all of your websites (not to mention the stealing of credit card numbers and banking information).

2. Back Up! Back Up! Back Up!

One of the most important things you can do as a website owner is to have regular backups made of all of your sites. Set your server up so that you have daily, weekly, and monthly backups made automatically, and then download some of those onto your PC or onto another off-site server once in a while as well, just in case something happens to your server.

I can’t tell you how many times I’ve had to rely on my backups in order to completely restore my websites. This is not to be understated: backing up is absolutely crucial.

If you enjoyed this post, please consider leaving a comment below, subscribing to my RSS feed, or following me on Twitter.
Posted: March 31st, 2010 under My Websites  

45 Responses to “I’m Back After a Nasty Virus”

  1. Man that’s horrible. I just started blogging but I definitely need to keep backing up in mind. There have been a few posts I’ve read about automated backups, maybe I’ll research that more in-depth now!

    Glad to hear you are up and running again Tyler!

  2. SEO Tricks says:

    I also got a virus yesterday called total virus defender while browsing a website, i have no idea how it installed on my computer right away but luckily i removed it!

  3. Wesley says:

    These viruses are getting tricker and trickier. Luckily they’re still not smart enough to go by undetected. A smart virus would simply inject it’s own ads in the system only for a small percentage of the visitors (and wouldn’t take the site down in the process).

    Thinking about it, theoretically, a virus could be created that logs in to your godaddy account (if passwords are saved in the browser), and transfer all your domains to the attacker. That would be catastrophicall.

    Anyway, won’t happen to me since I’m on a mac, maybe it’s time for you to switch completely? 🙂

  4. PPC Icon says:

    Ouch I feel for you man. I’ve had a pc completely die on me several times after a virus from a webpage crippled it. Reformatting was quicker than hunting it down.
    I agree Hostgator are great, anytime I break something they fix it very quickly 🙂

  5. CoreBloggers says:

    Completely agree with you, i have faced this problem already and since then i regularly backup all my sites.

  6. Money Making says:

    I think this is the best post you have made in a long time. It should help a lot of people. Thanks.

  7. Gary says:

    Wow, that’s crazy dude. Glad you’re back up and running that must’ve been stressful. I miss my days of dealing with spyware/viruses after switching to a Mac after my Dell laptop finally crapped out on me. It’s been smooth sailing ever since.

  8. Will says:

    There are many good lessons to keep in mind here.

    Have you ever thought about getting a Mac?

  9. Mike Stamatelos says:

    Java virus? Horrible situation. If you’re anything like me, though I can’t just switch over to Mac. With the regiment you suggested any Windows PC can be safe.

    I know this is unrelated but I wanted to throw this out there since it has to do both with the fact of being young and of being an entrepreneur: a local radio station called The American Entrepreneur is hosting two young kids who own successful companies next Friday (April 6) form 3 to 6 EST on http://www.TAEradio.com. Thought you and your readers might enjoy it.

    All the best,
    Mike

  10. Wesley says:

    Thinking about it, I guess these ftp programs should offer a little more security as well and require a password to open the program. With that password they can then simply encrypt all FTP site details which would have prevented this attack. Maybe there is already such a FTP program or you should send it in as a feature request.

  11. This is something we often take for granted. Im going to spend some time now backing up.

  12. Trojans and Viruses are so 80’s !!! Sorry u had that problem. Ever since I built my own pc from scrap and installed Ubuntu, this has been the best PC by far surpassing a new pc from Dell or HP !! no joke.
    Linux in my experience doesn’t seem to crash or have issues with torjans like windows. The only time I have a issue is with 1 error message telling me to buy a new Hard drive cause I used my old one in this PC. Nothing else seems to go wrong and i don’t need to deal with the virus issues as much. I will eventually get a windows os for another PC I will use for school but in the meantime, this is the biggest anti virus i have = Linux os

    All of that trouble should have made u stop eating, i bet u lost 10lbs!!!!

  13. Soares says:

    Going to scan my computer right now!!!
    Thanks or not for the iinfo Tyler….lol

  14. I hate getting a virus!

  15. used tires says:

    Wow, that was quite a major attack you took. Glad you were able to get back up on your feet again. Funny graphic depiction of the sequence though!

    Till then,

    Jean

  16. used tires says:

    For some reason, my Dell Inspiron’s McAfee virus software never updates its definitions. Did you have that problem too?

    Till then,

    Jean

  17. rent books says:

    don’t forget there are a few word-press plugins that can help like Antivirus for WordPress, they let you scan all of the files and suspicious code. Also they will email you if you get any suspicious files in the database. Also I recommend the database backup, just in case it gets real bad. glad you got it fixed.

    Paul

  18. Thanks for reminding me. I upgraded to Windows 7 and forgot to install an antivirus. Time to install that now.

    -Paul

  19. Oh man, what a horror story. But thanks for sharing this. Guess what, I am off to checking my machine for viruses immediately.

    HP

  20. Mike Stamatelos says:

    Amendment to my previous comment: that radio show is on April 9, not 6.

  21. Hi guys,

    When I first saw the title I assumed that you was sick. But it was your computer. I hate viruses. I make sure that I scan my computer everyday. I’m glad that you were able to fix your computer. Welcome Back!!!

    Kind regards,

    Sam
    X

  22. […] issues with all of his sites on his server and had his network go down as well he has written a post regarding this experience which rather than a datacenter issue (Tylerhosts with Hostgator someones […]

  23. Metin2 Hile says:

    Completely agree with you, i have faced this problem already and since then i regularly backup all my sites.

  24. dubweiser says:

    Valuable piece, lots of lessons to learn 🙂

    What is the best way of fighting with spyware?

  25. Boxing Bags says:

    Sorry to hear it man that is really horrible

    I am glad to hear you praise Hostgator so much since I use those guys for all my sites too

    AL

  26. Taj says:

    I actually browsed to your homepage today (about 90 minutes ago) and saw a php error. The page was all white with about 2 lines of code showing.

    I then viewed your site using the google cache – 10 seconds later my AntiVirus detected a virus on my PC.

    I hope this isn’t the same virus; I have uninstalled my FTP program just in case. Maybe its too late.

    Do you think the virus needed you to open your FTP program or could it launch it itself?

    Taj

    • got same php prb yesterday.. but refreshed and found nothing.. may be there was some sort of update was goin on. but recieved no malware warning.. may be you’ve got virus from anyother site which you might had open at the same time.. isn’t that so?

      I use filezilla and hope it the best secure than cuteftp and smart etc.. is it?? hehe

    • Tyler Cruz says:

      Unfortunately the virus did re-embed itself the other day. It has since been removed and shouldn’t occur again. See, after the first time we removed it, I was a moron and too stubborn to change all my server passwords. I have changed them all now so hopefully this won’t reoccur.

  27. Cheat Codes says:

    Oh i see now I know the reason of leaving this site from world wide web. I think now caroline is having a problem too

  28. Ouch! thanks for informing us Tyler, I hope this will not happen to me 🙁

  29. Big fan of Malwarebyte’s anti-malware software.

    Bryan

  30. Program says:

    I think this is the best post you have made in a long time. It should help a lot of people. Thanks.

  31. Charles says:

    Good tips I think I should do it now cause I never did a back up since I started.

  32. Amy says:

    I actually browsed to your homepage today (about 90 minutes ago) and saw a php error. The page was all white with about 2 lines of code showing.

    I then viewed your site using the google cache – 10 seconds later my AntiVirus detected a virus on my PC.

    I hope this isn’t the same virus; I have uninstalled my FTP program just in case. Maybe its too late.

    Do you think the virus needed you to open your FTP program or could it launch it itself?

    Taj

  33. Job Search says:

    That was a terrible situation where all your sites have been infected. I should backup often from now on..hehe

  34. […] Tylercruz, this person managed to comment as “SEO Tricks” and I would link to the original […]

  35. Hostgator has indeed been a great help. My account was hacked a few months ago and all my 7 blogs are infected.

    As I am not a technically sound person, I went to the support of Hostgator and they simply clear everything for me.

    As what you have stated above, they also recommended me to download some antivirus software to scan for virus on my computer and everything then go back to normal again.

    From then on, I always backup my data once every week.

  36. I think if you integrated this within Facebook and had like a Vs. match up against your friends and got notifications like “You’re friend Rob has hit level 4 in Robotwarz” or something of that nature; it could be a big game, I’m looking forward to playing it.

  37. Ha, that is great you got the problem fixed. Ironic that you got the virus while downloading music to exercise to for your weight loss gig.

  38. Nice blog here! Also your site loads up very fast! What host are you using?
    Can I get your affiliate link to your host? I wish my site loaded up as
    quickly as yours lol

  39. With having so much content and articles do you ever run into any issues of plagorism or copyright infringement?

    My site has a lot of unique content I’ve either created myself or outsourced but it looks like a lot of it is popping it up all over the web without my agreement. Do you know any techniques to help prevent content from being stolen? I’d genuinely appreciate
    it.

  40. I’ll have a look at your link, but is it worth the money?

PeerFly

Leave a Reply