You Don’t Mess With Other Peoples Websites!

The moment in Tarantino's "Pulp Fiction", when John Travolta says "You just don't mess with other peoples cars" implying what he would do to a guy who did, shows exactly how I felt this morning when I found out about new hacking attack on my site.

Discovering the threat

First clue was a comment from a reader saying that Chrome browser issues a security warning while viewing my site ( I also use Chrome I wonder why it didn't for me?).

Second clue was another reader who suggested that my feed subscription is not working.

So I decided to check my feed with FeedValidatior, and surprise, surprise here is what I find at the bottom of my feed:

Just great. My head turns red immediately.

I check my home page (View Source) and there is an alien javascript sitting right there at the bottom of my page.

Exploit Scanner plugin also confirms that all index.html, index.php, header.php and footer.php in my WordPress directory but also on my whole site have been infected with the same script.

Details about the threat

There is not much information regarding the script, and it is probably of the sort that collects the passwords on the site (for example when I login into my WordPress admin).

Changing that password immediately is best idea you can have.

The attack traces back to xanjan.cn.

Now I do not know if mr. Astakhov Sergey is truly the person behind this, but I know I would like to see people that orchestrate these kind of attacks first be treated by mr. Travolta's character in "Pulp Fiction" and then sent to prison for life.

I do not know if everyone understand the seriousness of this problem yet. In April PC World reported 500,000 sites hacked in one attack. I fear that was only the beginning.

What will I do?

I have to change all my passwords that are the same as my WordPress password.

Then I will change my hosting. They did not even bother to respond to my email when the first attack occurred couple of months ago (follow-up). I am still not sure how did the intruder got it but certainly I do not like the way my hosting handled it.

I will study ways to protect my self on the sites that might have been hacked like mine was. That includes adding a list of known malicious domains to my hosts file.

Update: This site has very good information on iframe malicious attack.

Finally I will create a WordPress plugin that will automatically warn me as soon as intruder find it's way to my site.

Main Concerns

There are thousands of attack sites like the that attacked my site. We can only hope that those are individual hackers.

If there is even a glimpse of these attacks being coordinated from one place, I am afraid we are on our way to largest turmoil Internet has ever seen.


More like this:


Posted in: Debate, WordPress
TAGS:, , , , , , , , , , , , , , ,
Both comments and trackbacks are currently closed.

24 Comments

  1. Nov 17th, 2010 11:23 AM

    The title says it all and i cant agree more. Dont mess with other peoples websites. Die spammers and those who inject viruses into other peoples sites. Keep your wordpress sites updated to stop malware injections!!

  2. Jun 13th, 2009 9:31 PM

    I am getting errors on my homepage and can not figure out what is going on. I have a 1and1 server and one day a monkey image showed up on my site! I changed all my passwords and hoping this problem will go away but still need some more info about these threats.

  3. May 19th, 2009 12:15 PM

    Hey Vlad,

    Wow, sorry to hear that news but it is a reminder to the rest of us that WordPress has vulnerabilities.

    I was encouraged by your comments about developing a solution to this hacking problem and look forward to learning more about how you deal with it. Don't mess with Vlad either!

  4. Jan 5th, 2009 3:36 AM

    This has happened to me as well. I just try to keep checking at least twice a month. I find that trying to keep the most up-to-date wordpress version helps keep them out. It is very irritating. Good article, thanks for sharing this.

  5. Nov 4th, 2008 1:03 PM

    Be a chinese,i'm so sorry to see that,that attrack came from china.
    ...
    you know somebody is very very ...

  6. Oct 5th, 2008 6:31 PM

    Kick his ass C-bass!

  7. Oct 1st, 2008 1:17 AM

    Thanks for the tip, I have added link to that useful information to the article.

  8. Sep 30th, 2008 8:20 PM

    hackers should die :|

  9. Sep 30th, 2008 7:52 PM

    For whatever reason I can't post a link using a regular tag - the page just refreshes and my post never shows up. I don't have this problem using disqus or slashdot comment fields. Here's another attempt without including the direct link...

    Go to google and search for "malicious iframe attack" then click on the top result to find a good description of your issue. I would reccomend paying special attention to the recommended actions for webmasters and ISPs towards the bottom of the page.

    Let me know if you have any questions, as I have some similar experience which may be helpful.

  10. Sep 30th, 2008 7:45 PM

    Your issue is accurately described at the following link; I would reccomend paying special attention to the recommended actions for webmasters and ISPs.

    test

    Let me know if you have any questions, as I have some similar experience which may be helpful.

  11. Sep 30th, 2008 7:30 PM

    Well my last comment successfully went thru, so I will try to repost my lost message...

    Your issue is fairly well described by this article, and I would reccomend you pay special attention to the recommended action for webmasters and ISPs section:
    http://www.softpanorama.org/Malware/Malicious_web/malicious_iframe_attack.shtml

    Its a different incarnation, but not completely different in nature than SQL injection attacks I've seen. If you have questions, feel free to contact me - information is on my website.

  12. Sep 30th, 2008 7:24 PM

    I submitted a helpful comment yesterday - Why did it not show up in your blog?

  13. Sep 26th, 2008 2:40 AM

    Man, this is terrible. One time I got an email from Google stating that my wordpress blog was harmful to users. They had put up the "Warning - this site may harm your computer" warning so you couldn't access the blog.

    I found that someone had hacked my blog and the embedded some kind of link in one of the posts. The rest of the post was messed up. That scared the hell out of me because I couldn't log in and I though maybe I'd forgotten the password or something.

    I'm gonna try what you suggested and research what else I can do so this doesn't happen again.

  14. Rohin
    Sep 25th, 2008 6:06 PM

    Those hackers should die !

  15. Sep 25th, 2008 2:40 PM

    Nick thanks for the analysis, it relieves me that the 'virus' was relatively harmless - I expected much more worse. Most of people that visit my site have FF 2+.

    I am moving hosting these days, hopefully that will get rid of the pest for some time.

  16. Sep 21st, 2008 1:28 AM

    Hey Vladimir, I was going through my wordpress admin. and came across a plug-in that had your name on it, so here I am. I'd tell you that you had written a great post, but it was scary as hell especially if you're really not into WordPress and the technical parts of WordPress. What are some of the bloggers like moms who are trying to make an income on the side or anyone who just want to blog but are not into the meat of the workings suppose to do? It gives you a unsettled feeling and it makes you feel helpless. I'm presently doing a 2 part series on backing up your blog,it is in reference to a fellow blogger who's blog was hack earlier this summer and wanted to get her story out. I have two guest poster's who are explaining how to back-up and when... but just putting these post on kind of makes me feel like I'm putting a target on my back. But thanks for a great post and I may be emailing you.

  17. Sep 20th, 2008 6:17 PM

    Vladimir,
    I have been visiting your site a lot so I have also been served with the URL you provide so I checked it out.

    By viewing the source & decoding the javascript it contains I saw that it seems to target various flaws/exploits of the computers of anyone who visited the site with IE or old Firefox versions or had old Adobe Acrobat versions and it tried to download and run a file called "load.exe"

    http://www.virustotal.com/analisis/a1c43cda1a5d8343829f296831d3ddf6

    and if that failed to display a malicous pdf file

    http://www.virustotal.com/analisis/4cbdb1a37282c6810fd0aba2d6ab6b99

    My current Antivirus does not pick both files! I am worried about the last one since it was displayed inside FF by my rather old acrobat reader.

    Did that activated the virus?

    Unfortunately I am not that proficient in CS to know...

  18. Sep 17th, 2008 10:43 PM

    Vladimir, I have been through this before and it is frustrating (at the very least). My host makes nightly backups as long as the total nodes is below 50,000 (? I think it was ?) at the time my site was hacked, my total nodes was approx. 53,000. The hacker added his/her code to over 600 files. I have since erased a LOT of files from my sub-domain folders to bring down the nodes...and I make my own backups!

    I was actually looking at your plugin, WP Wall, and found this article. From here, I followed the information threads and advice. I get an out-of-memory error when running the WP-EXPLOIT plugin but it did check the database and it FOUND that some moron spammer messed up one of my articles!

    Your information and security notes have proven very helpful. Thank you for educating us and providing the details. Sorry they got to you.

  19. Sep 16th, 2008 5:43 AM

    Pretty frightening. Of course, Travolta's character was relatively mild. His boss, Marcellus Wallace, went after his attackers "with a pair of pliers and a blowtorch." (By the way, few realize that line was stolen from a great Walter Matthau flick called "Charley Varrick.")

  20. Sep 16th, 2008 2:52 AM

    Same thing happen to me a while back. However, my site did not have a javascript but rather hidden spam links had been inserted into my code. The best way to fix this in my case was to change my password and CHMOD all theme files to 644 and edit though my host.

  21. Sep 15th, 2008 11:44 PM

    Pretty much everything is in hands of your hosting.

    I have put up some WordPress security related notes which is something you can do by yourself to make sure at least your WordPress stays secure.

  22. Sep 15th, 2008 11:39 PM

    That sucks. Yea, and make sure all your theme files, including the .htaccess are CHMOD 644.

  23. Sep 15th, 2008 6:17 PM

    Vladimir, I am new to this and it's the first time I have ever developed a website of my own. How can I protect this from not happening to me?

  24. Sep 15th, 2008 8:21 AM

    I will be the first to install your plugin !