GeekChunks.Com Is Back Up! You Lose, Malware!

Wow, what a week! If you follow me on Twitter you may already know of my recent battle with malware. On the mroning of September 6th, while at work, I received an email from Google and an email from my host stating that GeekChunks.Com had become infected with malicious software or “code”. PANIC! Here is the Google email in it’s entirety:

Dear site owner or webmaster of geekchunks.com,

We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.

Below are some example URLs on your site which can cause users to be infected (space inserted to prevent accidental clicking in case your mail client auto-links URLs):

http://geekchunks.com/
http://www.geekchunks.com/
http://geekchunks.com/geekery/

Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//geekchunks.com/

We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:

1) the site was compromised
2) the site doesn’t monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiser

If your site was compromised, it’s important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:
http://www.stopbadware.org/home/security

Once you’ve secured your site, you can request that the warning be removed by visiting
http://www.google.com/support/webmasters/bin/answer.py?answer=45432
and requesting a review. If your site is no longer harmful to users, we will remove the warning.

Sincerely,
Google Search Quality Team

Note: if you have an account in Google’s Webmaster Tools, you can verify the authenticity of this message by logging into https://www.google.com/webmasters/tools/siteoverview and going to the Message Center, where a warning will appear shortly.

And then from my host:

This is an urgent notice regarding the websites you host in your 1&1 account.

Your websites have been attacked by a third party: Malicious code has been
inserted into your files, which aims to infect the computer of every visitor to
your website (a technique called “drive-by download”).

******************************************************************************
Note: This represents a severe threat to the security of both your data and the
visitors to your sites.
******************************************************************************

We have run an automated analysis and averted the most dangerous consequences of
this attack.

However, further measures on your side are required in order to reactivate your
websites and re-establish the security of your personal data.

Here is a summary of the following:

1.  Analysis of the attack
2.  Consequences of the attack
3.  How to re-establish the presence and security of your websites

******************************************************************************
1.   Analysis of the attack
******************************************************************************
1.1  Criminal hackers have inserted malicious code into some of your files.
This code is built to automatically download a virus on any computer which
browses your website (drive-by download).

1.2  These modifications have been performed using your 1&1 FTP account and
password.

1.3  From this, we conclude that your 1&1 FTP access data was discovered and
compromised beforehand by a virus installed on your local computer.

1.4  You will find detailed information in a text-file on your 1&1 webspace.
This file contains an excerpt of the malicious code and a list of infected files.

******************************************************************************
2.   Consequences of the attack
******************************************************************************
2.1  Your sites represented an imminent danger to all your visitors. A Google
search for your domain may show the alert: “This site may harm your computer.”

2.2  The affected parts of your sites are no longer accessible, as we have
disabled the infected files.

2.3  As the hackers spied out your 1&1 FTP access data, we have set the
password for your 1&1 FTP access to a secure random value.

2.4  Please note that hackers may also have compromised other passwords by means
of the same virus.

2.5  The starting point of this attack is likely a virus on a computer, which
spies out data. The affected computer may be yours or any other computer you
used to log on to your 1&1 FTP account.

******************************************************************************
3.   How to reestablish the presence and security of your websites
******************************************************************************
First delete the virus on the computer which spied out the access data. Then
change your passwords. Finally, you are ready to put your websites back on-line
again. Here are the steps to follow in detail:

3.1  In order to delete the virus and to be protected from future infections,
1&1 recommends Norton Internet Security which you can sign up for in your 1&1
Control Panel.

Other recommended products are:
- Spyware Doctor:
http://www.pctools.com/spyware-doctor/
- Lavasoft Ad-Aware
http://www.lavasoft.com/products/ad-aware_se_personal.php
- MacScan (for MAC users)
http://macscan.securemac.com/download.html

Please note: Currently there is no software that detects all known viruses.
Scientific studies show that only about 70% of the active viruses are detected.
Thus consider reinstalling your operating system if no virus is found.

3.2  Subsequently, change the password to your 1&1 FTP access via your your 1&1
Control Panel.

3.3  As the virus may have spied out other access data as well, also change all
your other passwords. Think for example of the passwords for your
- 1&1 Control Panel
- your e-mail accounts
- your online banking account
- your accounts at eBay, Amazon, PayPal and others

3.4  Delete all malicious files from your 1&1 webspace. You will find them
listed in the summary file. This file is located in your logs directory.
Please access 1&1 Control Panel and follow:
‘Administration’ > ‘Web Space & Access’ > ‘WebspaceExplorer’
> directory ‘logs’ > directory ‘forensic’ > ‘/kunden/homepages/19/d139929218/htdocs/logs/forensic/20120906-0301.log’

Note: In order to preserve the formatting of this file and make it easier to
read, please open the files with MS WordPad.

3.5  Replace the infected files necessary for your websites. If you have a
backup, please scan it for malicious code before you upload it. In case you
should not have a backup, we recommend to fully rebuild your websites with
an updated software.

3.6  Finally, make sure that the permissions of your files are correctly set to
’644′.
******************************************************************************

We trust this message and our actions assisted you in resolving this situation.
If you should require further information, please reply to this e-mail, leaving
our reference [Ticket AB45332735] in your message.

Thank you in advance for your cooperation. We look forward to continuing to
provide you safe and secure hosting.

Kind regards,

Abuse Team

–
Abuse Department
1&1 Internet Inc.

So yea, I kind of felt like John Connor and SkyNet was raining down the pain but in actuality it was probably some Script Kiddie in their parents basement. My host was quick to point the finger at me saying access to my site was gained through my FTP accounts and that one of my computers must have been compromised locally and the username/password to my FTP was keylogged. I quickly scanned every computer I use, including my work PC, and found nothing. I then remembered that I had just upgraded my Mac hard drive (3TB woot) and did a fresh install of OS X and Windows, the evidence of any type of intrusion locally had been wiped out. Oh well, saved me the time of cleaning it.

I work in I.T. so removing viruses, malware, etc is like second nature, from computers that is. Removing malicious software from a site is completely new to me and a different matter entirely. Oh, there are plenty of paid services that can’t guarantee  they’ll get all of it but will try really hard. I’m sorry, I just don’t trust anyone but myself when it comes to such matters. After a couple of days of trying to remove the code on my own only to have it keep returning I decided to seek out help. Luckily there is a site called StopBadware.org and a man named Dr. Anirban Banerjee who is the lead Primary Investigator at StopTheHacker. Dr. Banerjee listed some keywords to search for in my files and recommended some programs to do so. I ended up downloading my whole site to my Windows machine and using Windows Grep to search for the keywords. I was able to find all of the files that were infected and either remove the code or replace the file completely.

After submitting my site for review for about the 20th time in the past 3 days, Google reported last night that GeekChunks.Com was indeed clean.