Gootloader infection cleaned up

Filed under:uncategorised — posted by admin on February 28, 2022 @ 3:59 am

Dear blog owner and visitors,

This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 289 malicious pages. Your blogged served up malware to 646 visitors.

I tried my best to clean up the infection, but I would do the following:

  • Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
  • Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
  • Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
  • Verify all users are valid (in case the attackers left a backup account, to get back in)
  • Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
  • Run antivirus scans on your server
  • Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
  • Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
  • Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
    and Wordfence Security, all do some level of detection, but not 100% guaranteed
  • Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
  • Check subdomains, to see if they were infected as well
  • Check file permissions

Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.

Sincerly,

The Internet Janitor

Below are some links to research/further explaination on Gootloader:

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://www.richinfante.com/2020/04/12/reverse-engineering-dolly-wordpress-malware

https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html

This message

Starting new

Filed under:Blog — posted by Shari on March 31, 2016 @ 9:47 am

Wow, it’s been a while. But now that the first novel is complete, and I’m onto the second, it’s time to connect again. A blog is a wonderful way to keep memories. Can’t believe that I’ve left this so long. I am taking this opportunity to wish myself luck on this next big journey. I’m so excited.

Coldest August in 30 Years

Filed under:Blog — posted by Shari on August 25, 2008 @ 12:13 pm

I need a new wetsuit, a new attitude or both. I haven’t surfed in 3 weeks. 3 weeks! I’m cold all the time and the thought of putting on a wetsuit and getting into 16 degree water is just all too much.

This morning, the Today Show said that NSW Australia is experiencing the coldest August in 30 years. I believe it. It’s not helping to change my attitude though . . .

Shakespeare’s challenge

Filed under:Blog — posted by Shari on July 7, 2008 @ 10:10 am

“There is a tide in the lives of men that, when taken at the flood, leads on to fortune.” – William Shakespeare

Good luck this week, Mark.

Thanks Momma

Filed under:Blog — posted by Shari on June 30, 2008 @ 1:41 pm

Thanks Momma, I say, this fine Monday. At 6:45am, I cast an eye around a sliver of vertical blind. Royal blue sky and not a lick of wind. No toast and tea at the beach this morning. It was my version of a rush at home and I was in the water at 7:30am. I didn’t look at the internet before going either. So, imagine my delight to discover that, for once, ignorance worked in my favour. I was wrong about the school holidays. They don’t start until next week. So, rather than a hundred groms buzzing around my head, I was met with two, yes TWO, other surfers at Dee Why Beach. How ’bout them apples? Ok, so the surf had dropped, a lot. But the sun shone warm on my chest, the waves were glassy and welcomed me into a few pockets. And it was a grand morning to be alive and be a surfer. Top o’ the day to the rest of ya. ;) 

anyone remember this one?

Filed under:Blog — posted by Shari on June 22, 2008 @ 11:57 am

Good morning. Snooping around my files, I came across this funny one again. If only math was this easy. Find x.
geometry test answer

The sun is finally out

Filed under:Blog — posted by Shari on June 21, 2008 @ 2:57 pm

In more ways than one. Wet storms finally left us this morning. With the good news from Canada that Dad is already on the mend in a big way, I can’t help but feel the positivity of the day.

I should have been out having a surf this morning, but I got stuck doing video transfers and conversions and then got into the time-absorbing task of  . . . play ominous music here . . . web site updating. Spare me. I must get a life.

hard times

Filed under:Blog — posted by Shari on June 17, 2008 @ 11:27 am

I love you, Dad.

Hard times come. The day before yesterday started my dad’s turn. He’s had a stroke, you see. It’s a small one and he’s expected to recover. Strong man, and brilliant. It’s horrible not to be able to run to him.

I love you, Dad.

Where is it all?

Filed under:Blog — posted by Shari on June 15, 2008 @ 2:59 pm

With all the writing that I’ve done, it should be easy. You’d think I could jam together enough content for 15 portfolios within a few clicks of the mouse.

Not so. Reading, re-reading, musing. I’m like Alice down the rabbit hole: in la la land for ages remembering the fun that each project was. Sound corny? Cliche even? nyuck, nyuck. It’s a cliche that few can claim. 😉

 

Welcome to my place

Filed under:Blog — posted by Shari on February 6, 2008 @ 11:21 pm

I’m Shari Hooper, Canadian living in Australia, and I wanted this url because it is my name. Soon, there will be stories here. Fiction and true, short and long. I think I’ll start an ongoing one about . . . you’ll soon see. 


next page