Gootloader infection cleaned up

Dear blog owner and visitors,

This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 383 malicious pages. Your blogged served up malware to 0 visitors.

I tried my best to clean up the infection, but I would do the following:

  • Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
  • Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
  • Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
  • Verify all users are valid (in case the attackers left a backup account, to get back in)
  • Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
  • Run antivirus scans on your server
  • Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
  • Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
  • Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
    and Wordfence Security, all do some level of detection, but not 100% guaranteed
  • Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
  • Check subdomains, to see if they were infected as well
  • Check file permissions

Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.

Sincerly,

The Internet Janitor

Below are some links to research/further explaination on Gootloader:

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://www.richinfante.com/2020/04/12/reverse-engineering-dolly-wordpress-malware

https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html

This message

New User Group: North India Oracle Users Group (nioug.org)

I was contacted a few months ago by some motivated individuals who were members of the Oracle RAC SIG. They wanted to start a new local Oracle user group in their region of Northern India and were looking for advice. I offered a few pointers and recently, they launched the new group – North India … Continue reading “New User Group: North India Oracle Users Group (nioug.org)”

I was contacted a few months ago by some motivated individuals who were members of the Oracle RAC SIG. They wanted to start a new local Oracle user group in their region of Northern India and were looking for advice. I offered a few pointers and recently, they launched the new group – North India Oracle Users Group at nioug.org.

If you are in Northern India or have colleagues or friends that are located there, you should check out this group. If you would like to get involved by coordinating a meeting, being a speaker, or helping in any way, I’d encourage you to contact one of the individuals listed on the Board of Directors to see how you can help as a volunteer. They’re allowing registration for free (at least for now) too.

They’ve also established a blog to publish upcoming news on events and happenings with the group. It has an RSS feed, so you may want to subscribe to easily track the new posts there.

Good luck to all the volunteers and the new group!

RIP My Windows Laptop

It’s official, I’m a Mac user now. I say user and not “Mac guy” because I was never a “Windows guy” either. If you need to label me, I guess I’m a “Linux guy”. Anyway, my first week with the Mac as my full-time machine has been pretty easy overall. I still don’t know Mac … Continue reading “RIP My Windows Laptop”

It’s official, I’m a Mac user now. I say user and not “Mac guy” because I was never a “Windows guy” either. If you need to label me, I guess I’m a “Linux guy”. Anyway, my first week with the Mac as my full-time machine has been pretty easy overall. I still don’t know Mac OS X as well as I know about WinXP, but I’m overall less annoyed with the Mac (even with the unknowns) on a daily basis.

So far, I’ve been able to port over the things I use frequently like twhirl, IM (Adium), Firefox, VMWare, Thunderbird, and, since my company and customers are heavily vested in .doc, .ppt, and .xls, MS Office with Outlook-replacement Entourage. Of course, where would I be without iTunes?

I read an interesting article today that I thought summed up a lot of peoples’ apprehension or resistance to switching. The bottom line is that most people fear what they don’t know or understand and it’s just easier to avoid change since that would require work to re-learn many tasks. Continue reading “RIP My Windows Laptop”