On Malware

A handful of individuals reported to me, mostly via email, that their antivirus software had warned them of a blocked, but unspecified, malware infection when they attempted to visit Aiera today. To them, and to anyone else who got similar warnings, my apologies.

However, you’ll be happy to know that as of this evening, the site appears to be clean again:

[singlepic id=2384 w=568 h=568 float=center]

Site check...checks out!

So…where did this come from?

The short answer is: I don’t know. I have my suspicions, and have made a few edits to certain files and functions (timthumb, I am soooo looking at you!) to tighten their security.

The long answer is: Website malware isn’t significantly different from OS malware in terms of the design philosophy behind it. At a technical level, yes, very different, and yes, its attack vectors are different as well. But ultimately, website malware designers — like OS malware designers — look first at the big target. By virtue of the fact that I use WordPress, I’m a bigger target automatically.

I also use a number of plugins on the site, and while I am eternally grateful to the WordPress community for the development of all these little things that make the site operate just a little bit better, well…I think everyone here knows how easy it can be for a spare time developer to drift away from a really neat project he was once rather passionate about. Not all the plugins I use are kept up to date by their original developers, and I will probably have to cull some of the older ones in the near future here.

Finally, I use a pretty sweet template on the site, if I do say so myself, which offers a fair bit of functionality and style above and beyond just any basic WordPress template. But that comes at a cost too; the template has a handful of advanced scripts (like timthumb) running behind it which control some of its features. These, too, can contain vulnerabilities if they are not updated and maintained, as surely as any plugin.

The plan: Going forward, I’m going to look at moving the site to a better template, something which is a little more current and a little easier to manually tweak if the need should arise. As mentioned, I’m going to cull some old plugins, and either kiss their functionality goodbye or find a more current replacement that is still being actively maintained. And I think doing regular checks of the site using Sucuri SiteCheck will also become part of my online routine.

How you can help: If you see problems when visiting the site, let me know as soon as possible. If possible, hit up something like Sucuri SiteCheck and plug in Aiera’s domain name; grab a screenshot of the results and send that my way. Sending antivirus or anti-malware logs or screenshots that list which file(s) on the site are causing the issue is also a good idea.

Most of all, though, just be vigilant, and also patient. The success of the site still surprises and throws challenges at me from time to time.

10 Responses

  1. renaak says:

    The malware notices are gone, now getting trojan horse warnings on all pages.

    URL: http://www.ultimaaiera.com/wp-content/plugins/wp-polls/polls-js.js?ver=2.50
    Infection: js:Redirector-NL [Trj]

    • WtF Dragon WtF Dragon says:

      I know what this is!

      Or, at least, I have a strong suspicion. This is affecting almost all the JS files on the site…and only the JS files. Which is relevant.

      Were this the fault of some piece of malware, I’d likely be hearing about more sites getting hit with it, especially something capable of compromising all the script files on a site across all plugins.

      However, this problem first appeared when I asked Mediatemple to take a look at why certain script-driven site functions weren’t working. They evidently turned on some kind of logging feature on the site’s JS…I wonder if that’s what everyone is seeing, and why A/V suites can’t identify it as anything beyond a nameless redirection trojan?

      Regardless, I’ll replace all the site plugins, and I’ll ask Mediatemple to discontinue logging. Keep me posted if any other site files get flagged, okay?

  2. Infinitron says:

    Kenneth: It’s almost certainly something related to ads.

  3. Sergorn says:

    If that’s a ad issue, isn’t it a false positive though ?

  4. Odkin says:

    I appears clean to me (and Microsoft Security) now. I was getting warnings before today, and now nothing.

    • WtF Dragon WtF Dragon says:

      Yeah, it turned out to be what I thought, and asking for logging to be deactivated seems to have quenched things. Still going through site JS when I can find time, just to be safe.

  5. renaak says:

    Still get the same warning on each page.

  6. WtF Dragon WtF Dragon says:

    Hmmn…I wonder if I’m still caching some of the problem-causing files?

    That’s easy enough to correct for.

    Same file still giving problems? WP-POLLS?

  7. Sanctimonia Sanctimonia says:

    No problems right now (or ever) on your site. Clean in recent versions of Chrome and Firefox.

  8. renaak says:

    Yes, it was the same file.

    No warnings now, everything appears fine.