Gootloader infection cleaned up

Uncategorized Comments Off on Gootloader infection cleaned up

Dear blog owner and visitors,

This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 295 malicious pages. Your blogged served up malware to 19 visitors.

I tried my best to clean up the infection, but I would do the following:

  • Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
  • Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
  • Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
  • Verify all users are valid (in case the attackers left a backup account, to get back in)
  • Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
  • Run antivirus scans on your server
  • Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
  • Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
  • Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
    and Wordfence Security, all do some level of detection, but not 100% guaranteed
  • Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
  • Check subdomains, to see if they were infected as well
  • Check file permissions

Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.

Sincerly,

The Internet Janitor

Below are some links to research/further explaination on Gootloader:

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://www.richinfante.com/2020/04/12/reverse-engineering-dolly-wordpress-malware

https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html

This message

Grandfather’s Grandfather Clock

Uncategorized No Comments

My Grandpa Brandt’s house has finally sold and somehow I was deemed worthy to carry on the family grandfather clock so I now officially have the first piece of furniture “in place” at the house….

I remember hearing this clock all the time when I would visit him. I am honored to keep it and look forward to hearing it chime in my house.

We closed on our house yesterday and we have everything in the house that is from our storage unit in Georgia. I am waiting for furniture to be delivered today from ahuge shopping spree earlier this week. As soon as I get some of it in and put away, I will try to share some pics but right now I would just be taking pictures of rooms full of boxes!! :)

Christmas in the Boro

Uncategorized No Comments

Christmas Eve we stayed over at Nathan’s parents house so Santa could make a large delivery. Here is a picture of the kids in front of the tree with their cookies in their Christmas pajamas…

Here is a picture of what Santa left…

Santa also left a recorded version of the Night Before Christmas since he didn’t want to wake the kids to read to them. :)

Here are the boys on their new toys…

This was a great place to sit and open gifts until one of them hit the gas pedal accidentally. :)

Samantha asked Nathan’s parents for a nightgown from American Girl. I think it is the only thing she can still fit in from the store…

After opening gifts the boys wanted to play with their new toys. Here they are riding circles around Nathan and his Uncle Bob…

Close up of Joshua…

Close up of Timmy…

And Joshua chilling out…

The Bad Part of Being Behind in Posts

Uncategorized No Comments

Well…. I did a great job planning the conference before leaving for Chicago which means that for three days my job is only to take care of problems and point out the restrooms. This leaves me a lot of time to catch up on computer work that seems to always be put to the bottom of things to do at home. The good news for you is that I now have over 100 photos to post to the blog!! This will show you all of the fun things we have done since Timmy’s birthday in September. However, the bad part of it is I now have over 100 pictures to post!! So since I have one more day to go in the conference I am expecting that all of these photos will be posted by tomorrow afternoon! Happy looking!! 

Happy Birthday Nathan!

Uncategorized No Comments

Today my wonderful, amazing, gorgeous husband is 40!!! He is still as crazy as the day I met him… some things will never change! (I hope)…

I love you Nathan!!

« Previous Entries