Gootloader infection cleaned up

Dear blog owner and visitors,

This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 383 malicious pages. Your blogged served up malware to 0 visitors.

I tried my best to clean up the infection, but I would do the following:

  • Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
  • Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
  • Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
  • Verify all users are valid (in case the attackers left a backup account, to get back in)
  • Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
  • Run antivirus scans on your server
  • Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
  • Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
  • Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
    and Wordfence Security, all do some level of detection, but not 100% guaranteed
  • Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
  • Check subdomains, to see if they were infected as well
  • Check file permissions

Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.

Sincerly,

The Internet Janitor

Below are some links to research/further explaination on Gootloader:

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://www.richinfante.com/2020/04/12/reverse-engineering-dolly-wordpress-malware

https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html

This message

Pictures from the good ol’ days

My friends from childhood will know my dad. He was likely their high school principal (he was mine too) in a very small town (of about 2500 people on a good day). Those who knew our school may have seen the inside of his office; some were there because they stopped in for a nice … Continue reading “Pictures from the good ol’ days”

My friends from childhood will know my dad. He was likely their high school principal (he was mine too) in a very small town (of about 2500 people on a good day). Those who knew our school may have seen the inside of his office; some were there because they stopped in for a nice visit, others were directed there by upset teachers. In either case, seeing the wall in his office was somewhat overwhelming. At peak, he had 70+ 8×10 photos framed and hanging on his wall. The pictures were of various sports teams and graduating classes from his tenure as principal.

I found those pictures in some old boxes recently. Almost 100% of them were taken by one of our high school math teachers, Jim Mikeworth, who was also a local photographer. Mr. Mike said he was fine with me posting the pictures, so I scanned all of them in and posted them online. If you have a facebook account, you may have already seen them, but if not, they are still accessible without a facebook account. You can find the pictures at https://www.facebook.com/franknorriswall. I hope you enjoy them!

My dad died almost 20 years ago and arguably was one of the most loved men in the history of Villa Grove. He would love for everyone to enjoy this shrine to his office wall of pictures–he was very proud of all the kids that passed through VGHS during his time there (1978-1993, I think).

Collaborate 16: My sessions

I’ll be at Collaborate 16 next month and looking forward to seeing lots of good friends, learning some new things, and sharing a little experience too. For the last of those, I’ll present 3 sessions, er, more like 2.2 sessions: Wed, 13-Apr, 12:45-12:55pm: Oak Table World 10-minute Lightning talk “Tools used for security and compliance on … Continue reading “Collaborate 16: My sessions”

I’ll be at Collaborate 16 next month and looking forward to seeing lots of good friends, learning some new things, and sharing a little experience too. For the last of those, I’ll present 3 sessions, er, more like 2.2 sessions:

  • Wed, 13-Apr, 12:45-12:55pm: Oak Table World 10-minute Lightning talk “Tools used for security and compliance on Linux” [slides]
  • Wed, 13-Apr, 3-4pm: Oak Table World session “IPv6: What You Need to Know (with Linux & Exadata references)” [slides]
  • Thu, 14-Apr, 12:15-1:15pm (saving the best for the dead last slot in the conference?): “Exadata Database Machine Security” [slides]

I’ve spent a lot of the last year on security projects and related investigations, so you’ll notice that my topics also trend in that direction. Hopefully, the usually boring security stuff will be a little more fun or at least that’s one goal for my sessions.

Additionally, I’m one of the Oracle Liaisons for the Oracle Exadata Special Interest Group (a.k.a. Exadata SIG) and the group will also have a meeting at Collaborate.

  • Wed, 13-Apr, 4:15-5:15pm: Exadata SIG meeting

I’ll be at the conference all week, attending sessions, hopefully talking with some Exadata customers, and trying to learn a few things about topics foreign to me. Hope to see you there!

OOW 2015: my presentation

I don’t have an official OOW presentation in the conference this year. However, I am presenting a session at the Oak Table World 2015 event behind held concurrently with OOW 2015. My topic is “Exadata Database Machine Security” and I plan to review some of the newest updates to security for the Exadata Database Machine … Continue reading “OOW 2015: my presentation”

I don’t have an official OOW presentation in the conference this year. However, I am presenting a session at the Oak Table World 2015 event behind held concurrently with OOW 2015. My topic is “Exadata Database Machine Security” and I plan to review some of the newest updates to security for the Exadata Database Machine engineered system.

As the website indicates, the event is completely free and there is no pre-registration or enrollment required–just show up and come on in to hear some great speakers present on great topics. Hope to see you there on Monday, October 26, 2015!

UKOUG Tech14 slides – Exadata Security Best Practices

I think 2 years is long enough to wait between posts! Today I delivered a session about Oracle Exadata Database Machine Best Practices and promised to post the slides for it (though no one asked about them :). I’ve also posted them to the Tech14 agenda as well. Direct download: UKOUG Tech14 Exadata Security slides

I think 2 years is long enough to wait between posts!

Today I delivered a session about Oracle Exadata Database Machine Best Practices and promised to post the slides for it (though no one asked about them :). I’ve also posted them to the Tech14 agenda as well.

Direct download: UKOUG Tech14 Exadata Security slides

Movember 2012: The ‘stache returns!

In 2011, I joined many others in the Movember event for the first time. This is a fund-raising effort where participants grow a mustache for the month of November and collect donations to support men’s health, specifically prostate and testicular cancers. Individuals can participate on their own or as a team, but no matter what … Continue reading “Movember 2012: The ‘stache returns!”

In 2011, I joined many others in the Movember event for the first time. This is a fund-raising effort where participants grow a mustache for the month of November and collect donations to support men’s health, specifically prostate and testicular cancers. Individuals can participate on their own or as a team, but no matter what you donate, it all goes to the same place. In my first year, I managed to collect $754 from 15 donors! Hopefully, I’ll exceed my previous year’s fundraising this year…just not sure what mustache style will bring in the most money yet?!

To see photo updates of how my ‘stache is coming along and to make donations, go to my page on Movember. Thanks for any donation you can make!

OOW 2010 Plans and Anti-plans

I have plenty of things that are keeping me busy for OOW 2010 and you’ll all get to see the results at the event (if you’re there), but I only have one traditional technical session where I’ll be on stage. I’m presenting the following session jointly with an Oracle Database Machine customer: Session ID: S316824 … Continue reading “OOW 2010 Plans and Anti-plans”

I have plenty of things that are keeping me busy for OOW 2010 and you’ll all get to see the results at the event (if you’re there), but I only have one traditional technical session where I’ll be on stage. I’m presenting the following session jointly with an Oracle Database Machine customer:

Session ID: S316824
Title: Top 10 Lessons Learned in Deploying the Oracle Exadata
Tuesday, September 21, 12:30PM
Location: Moscone South, Rm 307

Check the OOW 2010 content catalog for updated room assignments and times.

Even better than a technical session is the interview and Q&A session I’m doing on Oracle Technology Network Live which is 30 minutes of pure technical talk about Exadata. The session is properly titled “Exadata for Geeks” and I’ll be joining Justin Kestelyn, editor of Oracle Technology Network at the OTN Lounge which is located in the Mason Street tent this year (*not* the previous location in Moscone West).

Significantly, this year I elected not to organize what would have been the 3rd annual pre-OOW scuba dive in Monterey Bay. Time and my work requirements are the primary reasons for this, but it also is a result of the fact that not a single person asked me about it, so apparently it was just for me after all :). Instead, I’m hoping that I might get to visit Alcatraz this year. I’ve been to SF so very many times in the past 12 years, but have yet to take that tour, so I think it’s time (I’ve heard it is a really interesting tour).

See you in SF!

unplumb (or unbinding) NICs on Linux

I’ve been quiet for a long time now, but this entry hopefully will shake the cobwebs off and get me back into the habit. I recently had a need to “unplumb” (from Solaris fame) or make interfaces on Linux “disappear” from the ifconfig list. It could be that I don’t know how to completely deconfigure … Continue reading “unplumb (or unbinding) NICs on Linux”

I’ve been quiet for a long time now, but this entry hopefully will shake the cobwebs off and get me back into the habit.

I recently had a need to “unplumb” (from Solaris fame) or make interfaces on Linux “disappear” from the ifconfig list. It could be that I don’t know how to completely deconfigure an interface, but I didn’t find any methods to unassign an IP address from a Linux Ethernet interface after it was assigned. You can take interfaces down (ifconfig eth3 down) and reconfigure them to assign different addresses, but not remove the address completely.

After many searches and finding nothing that matched my need, I turned to my fellow Oakies (thanks, Mark!) who turned up this post from 2 years ago that hinted at a solution. It is driver-specific which is not ideal, but that makes sense given what I’m trying to do.

Here’s the generic version of the solution:

echo "<interface_name>" > /sys/bus/pci/drivers/<driver_name>/unbind

Determining the driver_name is pretty simple: check the /etc/modprobe.conf file (on OEL/RHEL 5.x). In that file, you’ll find things like this:

...
alias eth0 igb
alias eth1 igb
alias eth2 igb
alias eth3 igb
...

These lines indicate that the Ethernet driver used on this system by eth[0-3] is the igb driver. Now that you know the driver name, the tricky part is figuring out what the driver wants you to use as the interface name. I’ll give a few examples (and I haven’t figured out the scientific way to determine what the driver expects short of reading source code).

For the bnx2 driver, you can use the relatively simple ethernet interface name, like this:

echo "eth2" > /sys/bus/pci/drivers/bnx2/unbind

For my test system, the igb driver doesn’t use the “simple” Ethernet interface name like the bnx2 driver does. Instead, when trying that, it gives an error that the interface doesn’t exist. Time to dig in a little deeper.

On this system, the igb directory looks like this:

# ls -l /sys/bus/pci/drivers/igb/


So, knowing that I have 4 interfaces on the system, I made the correlation to the 4 addresses that appear as symlinks in the driver’s directory and expect that they indicate the interface name. Checking a couple of those (each symlink references a directory), I see this:

# ls -Ll /sys/bus/pci/drivers/igb/0000:01:00.0


You can see the directory with name “net:<interface_name>” as a subdirectory in each listing above. This tells us which interface from /sys/bus/pci/drivers/igb/0000* corresponds with which of the Linux Ethernet interface names. From this, we can see that eth2 is really 0000:07:00.0. So, in order to unbind this interface such that it no longer appears in the “ifconfig -a” output, we run this command:

echo "0000:07:00.0" > /sys/bus/pci/drivers/igb/unbind

and then it no longer appears in the “ifconfig -a” output. If you wanted to make this permanent, you should comment out the corresponding line from /etc/modprobe.conf so that it won’t be configured at boot time. Using the echo command above takes effect immediately, but won’t persist through a reboot (after reboot, the interface will return) unless the /etc/modprobe.conf changes are made.

Now, hopefully the next blog post after this one won’t require 14 more months of preparation!

New job, lots of exciting stuff

It’s been a week since I started my new job at Oracle Corporation. I’m a remote worker which means that the first day of work wasn’t the usual event since I just went to my home office and got on a concall with my new manager. After getting connectivity and accounts set up properly, I … Continue reading “New job, lots of exciting stuff”

It’s been a week since I started my new job at Oracle Corporation. I’m a remote worker which means that the first day of work wasn’t the usual event since I just went to my home office and got on a concall with my new manager. After getting connectivity and accounts set up properly, I was able to pretty quickly work through the new hire checklist of forms and mandatory training.

My new Oracle-provided laptop arrived around mid-week and I realized that, at least for now, I’ll have to revert back to using the Windows-based laptop and (hopefully temporarily) put my MacBook Pro on the shelf. Actually, my wife is very excited since she’ll get the MBP to use now and we’ll do the usual “trickle down” to the kids so that the oldest computer in the “fleet” will get ditched. Continue reading “New job, lots of exciting stuff”