27
Feb 22

Gootloader infection cleaned up

Dear blog owner and visitors,

This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 301 malicious pages. Your blogged served up malware to 203 visitors.

I tried my best to clean up the infection, but I would do the following:

  • Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
  • Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
  • Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
  • Verify all users are valid (in case the attackers left a backup account, to get back in)
  • Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
  • Run antivirus scans on your server
  • Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
  • Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
  • Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
    and Wordfence Security, all do some level of detection, but not 100% guaranteed
  • Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
  • Check subdomains, to see if they were infected as well
  • Check file permissions

Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.

Sincerly,

The Internet Janitor

Below are some links to research/further explaination on Gootloader:

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://www.richinfante.com/2020/04/12/reverse-engineering-dolly-wordpress-malware

https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html

This message


25
Jan 10

Wlademir Dias-Pino: enciclopédia visual

Semana retrasada lançamos o site Enciclopédia Visual dedicado à obra de Wlademir Dias-Pino, e neste espaço se encontra a sua produção em poesia, design, ilustrações e textos teóricos escritos por ele e por críticos de sua obra.
Assim como o site Poema Processo a realização é do grupo PLACE coordenado por Rogério Camara. O trabalho obteve apoio do CNPq e contou com a participação de Hugo Cristo, Priscilla Martins, Lívia Rimolo e Ivan Cosenza.


21
Dec 09

Poema Processo

Está no ar o site Poema Processo realizado pelo grupo PLACE coordenado por Rogério Camara e com apoio do CNPq. Participaram  do projeto Hugo Cristo, Priscilla Martins, Lívia Rimolo e Ivan Cosenza. Contamos com o acervo e toda atenção dos poetas Wlademir Dias-Pino, Neide de Sá e Regina Pouchain.
Site visa divulgar o movimento de mesmo nome, ocorrido na poesia de vanguarda brasileira, inaugurado, formalmente, em dezembro de 1967 e encerrado com o Manifesto de Parada Tática em 1972.
Liderado pelos poetas Álvaro de Sá, Neide Sá, Moacy Cirne e Wlademir Dias-Pino, o movimento pretendia-se inovador ao propor um desmonte nas formas estabelecidas de criação de um poema. Aderiram ao grupo poetas de todo o país e publicou-se de maneira mais expressiva nos estados do Rio de Janeiro e do Rio Grande do Norte.


22
Aug 09

Pinturas falantes

Diz-se que vivemos em mundo da imagem, mas parece que não se sabe mais olhar. No museu as pessoas apelam para tudo para entender o que não olham diretamente: legendas e textos de toda espécie. Assim, como a particularidade física e plástica da imagem passou a importar menos que o discurso, a China montou exposição em que reproduções de pinturas famosas falam e se explicam.


22
Aug 09

Do Crédito

cofre_forte

Nova York, 2009.

No mundo do crédito, quem vai atrás da poupança do Tio Patinhas? Talvez as empresas.