Another Hack

Cyclelicious was hacked again last night. Below the fold are details along with info about potential malware on some of your PCs that you should take care of.

First of all, a big thank you to Ted of Utility Cycling, who first brought the hack to my attention. The hack installed malware on visitor PCs, so I took Cyclelicious down as soon as I could — no mean feat, incidentally, doing this from a phone while sitting in a train.

Test Card - Please Stand By - Technical Difficulties

The hack is a variation of the Hilary Kneber / acrossuniverseitbenet malware injection that’s been plaguing all GoDaddy shared hosting customers for the past couple of years. The attackers specifically target GoDaddy — once they’re in, they can easily modify any file on any shared hosting website hosted at GoDaddy. These attacks are a nuisance, but they’re easy to detect and trivial to cleanup. I now run a checksum against all of my files several times daily specifically to guard against this kind of attack.

Yesterday’s attack was a dramatic escalation — instead of modifying PHP server files, the attackers directly modified the MySQL database files in which WordPress blog posts are stored. This took a while for me to figure out — by then I was on a bus, but still doing all of this on a phone (and who knew there’s a version of VI for Android?) — until I noticed many of the several thousand blog posts at Cyclelicious had the evil acrossuniverseitbenet redirect. I wrote an SQL command to search for and delete that text, and after that ran to completion and I confirmed the malware redirection was gone, I restarted Cyclelicious at about 9 PM last night. Sucuri Research Blog has more details of this particular hack and the ne’er-do-wells behind it.

Malware on your PC

Most of you can probably safely ignore the rest of this post, but there are exceptions. If you run a PC with a slightly older Microsoft Windows with no firewall or security software, pay attention.

What the hack did was redirect many Cyclelicious posts to a fake Anti Virus scanning software website that looks just like a Windows virus alert prompting you to remove infected file.

Fake Virus Alert

If you click through the prompt to remove the infected files, you’re actually downloading malware to your PC. If you didn’t pay attention, you may have given Windows permission to install the malware. If you gave the permission, you’re hosed with some fake antivirus software that takes control of your PC with constant (fake) messages of virus infected files and a handy-dandy click to pay the ransom to remove the malware.

This website gives instructions on removing fake antivirus software.

Once again, a huge thank you to Ted. He runs Bike Shop Hub, Utility Cycling, and Commute By Bike.

5 Comments

  1. I experienced this issue first on a Mac, which merely sent me to a hard-core porn site. I mean “merely” in the sense that I was terrified that I wouldn’t be able to close the window before my female co-worker would turn around and see what was on my screen. But I wasn’t worried about my computer.

    It was at home on my Windows XP machine where wondered exactly how clever this attack was. I had the presence of mind to grab some screen shots while I was closed the affected windows. It was very easy to imagine a less savvy person falling for this ploy. In fact, I had lunch yesterday with a friend who described how he fell for a ploy just like this one–probably the same one.

  2. Sorry to hear about this, Richard. I just upgraded to the newest version of WordPress as I was told that the older versions were getting hacked a lot.

    I hope you’re hack free from here on in.

    Darryl

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.