Cyclelicious was hacked again last night. Below the fold are details along with info about potential malware on some of your PCs that you should take care of.
First of all, a big thank you to Ted of Utility Cycling, who first brought the hack to my attention. The hack installed malware on visitor PCs, so I took Cyclelicious down as soon as I could — no mean feat, incidentally, doing this from a phone while sitting in a train.
The hack is a variation of the Hilary Kneber / acrossuniverseitbenet malware injection that’s been plaguing all GoDaddy shared hosting customers for the past couple of years. The attackers specifically target GoDaddy — once they’re in, they can easily modify any file on any shared hosting website hosted at GoDaddy. These attacks are a nuisance, but they’re easy to detect and trivial to cleanup. I now run a checksum against all of my files several times daily specifically to guard against this kind of attack.
Yesterday’s attack was a dramatic escalation — instead of modifying PHP server files, the attackers directly modified the MySQL database files in which WordPress blog posts are stored. This took a while for me to figure out — by then I was on a bus, but still doing all of this on a phone (and who knew there’s a version of VI for Android?) — until I noticed many of the several thousand blog posts at Cyclelicious had the evil acrossuniverseitbenet redirect. I wrote an SQL command to search for and delete that text, and after that ran to completion and I confirmed the malware redirection was gone, I restarted Cyclelicious at about 9 PM last night. Sucuri Research Blog has more details of this particular hack and the ne’er-do-wells behind it.
Malware on your PC
Most of you can probably safely ignore the rest of this post, but there are exceptions. If you run a PC with a slightly older Microsoft Windows with no firewall or security software, pay attention.
What the hack did was redirect many Cyclelicious posts to a fake Anti Virus scanning software website that looks just like a Windows virus alert prompting you to remove infected file.
If you click through the prompt to remove the infected files, you’re actually downloading malware to your PC. If you didn’t pay attention, you may have given Windows permission to install the malware. If you gave the permission, you’re hosed with some fake antivirus software that takes control of your PC with constant (fake) messages of virus infected files and a handy-dandy click to pay the ransom to remove the malware.
This website gives instructions on removing fake antivirus software.