Hacked…Doggone-it!

Hi Everybody,
It’s been awhile since I posted, but the thing is…I was hacked! That’s right, I was the victim of a drive-by virus; a nasty cuss called the god_mode_on virus. And like its human counter-part, it’s a virus that doesn’t discriminate; it hits any site using word press, and it hits hard.

WHAT HAPPENED

I was working on one of my sites, just minding my own business, when I decided to add a plugin to enhance functionality. I went to my plugin page, and…behold, all the plugins suddenly deactivated themselves. The entire plugin page was full of hot-pink error messages that said “this plugin has been deactivated.” So I went to the page that allows you to re-activate any plugins you’ve deactivated, only to receive an error message that said, “you apparently don’t have any plugins to reactivate.”

As you can imagine, I was stumped. No plugins? How could that be??? So I went to WordPress.org’s plug-in page to re-upload each plugin that had deactivated itself, only to be scolded with this error message: “Plugin not installed; path already exists.”

Well, now I was annoyed. I ran a google search with this phrase – “All my plugins disappeared,” and I got a flood of hits on other word press users who had been hacked within the same time frame.

WHAT I LEARNED

I learned I had been hacked by a low-down, dirty, scum-sucking virus called god_mode_on. This virus first hijacks your plugins, deactivating such vital plugins like captcha, askimet and maintenance mode. When this happens, your website is no longer protected from spam, and all sorts of virus-spreading villains can leave messages for you. You don’t have to approve the messages; you could become a victim by simply clicking on them to see what they’re about. Plus, since the maintenance mode plugin is disabled, you can’t even put your website into maintenance mode until you get the problem fixed.

But even worse than that, any person that visits your beloved website is in peril of being blindsided by a “malicious toolkit” that automatically downloads onto their computer. So what this means is, you just spread the virus without meaning to, and you can’t do anything about it because you can’t disable your website. So, not only do you experience the guilt at having spread a germ to one of your faithful readers, your site may well be blacklisted from the search engines as a known site for spreading nasty computer infections! AND WHAT THAT MEANS is if you’re blacklisted, your traffic will definitely decrease, because who do you know that wants to visit a site that’s spreading nasty infections?

WHAT IT DOES

The god_mode_on virus attacks word press first, then glides serenely over to your js (javascript) and php files and injects them with the malicious goods. It also creates a few files of its own, like upd.php, which is a sort of “back door” for it to get back into your files even if you do manage to clean out the virus without losing your mind first.

It then proceeds to re-direct your visitors from your website to the website of its choice, which may even include porn! Sometimes it sends visitors to a site that declares that your computer has been infected and the only way you can save it is to buy an advertised virus protector…but the only way to buy that is to give some faceless, nameless desperado your credit card information. And that, my friend, is definitely not what you want to do!

WHAT I HAD TO DO

1. I went to this site and read what other victims had to say: http://wordpress.org/support/topic/i-think-my-site-has-been-hacked-please-help-asap

2. Next, I scanned my website and found out exactly which files were infected. BE PREPARED TO BE BLOWN AWAY; YOU MAY HAVE HUNDREDS OF FILES THAT HAVE BEEN AFFECTED! http://sitecheck.sucuri.net/scanner/

3. Next, I downloaded a free copy of Avast, an excellent program for spotting malware. Unfortunately, if your site’s got the infection, Avast doesn’t remove it, but if your site’s clean, it can prevent an infection: http://www.avast.com/en-us/index

4. Next, I “restored” my ftp files to a date prior to the attack. I use GoDaddy.com as a host, and they take a daily snapshot of computer files, so we were able to pinpoint the exact date that my files were infected. From there, we went backward two days and “restored” my ftp files to an earlier date.

Theoretically, after that restoration, my files should have been clean, but unfortunately, that’s not what happened. The filthy virus had created some backup files like upd.php and other files, so it was still there, like a germ…lying dormant until it could spring to life again. So I still had a lot of work to do!

5. Next, I used a word press export plugin and exported my posts, pages and data to my desktop, and immediately scanned it with Avast to be sure I hadn’t just downloaded the virus onto my computer. The export page was clean, so I moved on to the next step.

6. This step was a bit controversial, and I’M NOT ENCOURAGING YOU TO DO THE SAME THING. But since I didn’t want to infect any of my readers and I couldn’t disable my website, I went into my FTP files and downloaded the WP-Content files onto my desktop. Once I did that, I completely deleted that folder from the FTP files, so that when visitors went to my site, they got nothing but a blank page.

7. Once I knew my readers were safe, I uninstalled word press from my ftp files and did a clean install of word press, then I deleted my theme and re-installed a fresh copy of the theme. In my case, my theme had been updated from version 4.6 to version 5.0, so it was really, really new!

That did it for me. Though my site needed quite a bit of tweaking to bring it back up to snuff, at least it was up and running again. I then felt safe enough to delete the WP-Content file I had downloaded onto my desktop. I’d only saved it in case something went wrong with the clean installs and I needed to re-upload it to the ftp files.

A coder friend suggested that I install two additional plugins called BulletProof and TimThumb Vulnerability Scanner. BulletProof is supposed to be a great shield against word press viruses, and the TimThumb scanner supprosedly closes any open back doors that TimThumb has.

CONCLUSION

Well, now that I’ve gotten all that trauma off my chest, I have to tell you that I don’t recommend anyone trying the steps I took to clean my site. My advice is, go find a professional and pay to have your site cleaned, especially if you have lots and lots of posts and pics that you can’t bear to lose. But whatever you do, keep your chin up; you’re not the first person to be infected by the god_mode_on virus, and I’m sure you won’t be the last.

My very best wishes your way,

Rita Lorraine