Dear blog owner and visitors,

This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 291 malicious pages. Your blogged served up malware to 0 visitors.

I tried my best to clean up the infection, but I would do the following:

  • Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
  • Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
  • Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
  • Verify all users are valid (in case the attackers left a backup account, to get back in)
  • Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
  • Run antivirus scans on your server
  • Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
  • Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
  • Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
    and Wordfence Security, all do some level of detection, but not 100% guaranteed
  • Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
  • Check subdomains, to see if they were infected as well
  • Check file permissions

Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.

Sincerly,

The Internet Janitor

Below are some links to research/further explaination on Gootloader:

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://www.richinfante.com/2020/04/12/reverse-engineering-dolly-wordpress-malware

https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html

This message

In varius varius justo, eget ultrices mauris rhoncus non. Morbi tristique, mauris eu imperdiet bibendum, velit diam iaculis velit, in ornare massa enim at lorem. Etiam risus diam, porttitor vitae ultrices quis, dapibus id dolor. Morbi venenatis lacinia rhoncus. Vestibulum tincidunt ullamcorper eros eget luctus. Nulla eget porttitor libero. (more…)

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Morbi vitae dui et nunc ornare vulputate non fringilla massa. Praesent sit amet erat sapien, auctor consectetur ligula. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed non ligula augue. Praesent imperdiet magna at risus lobortis ac accumsan lorem ornare. In aliquam, sapien ac vehicula vestibulum, arcu magna aliquet velit,

Courage is not the absence of fear, but rather the judgement that something else is more important than fear

Nullam ornare, sem in malesuada sagittis, quam sapien ornare massa, id pulvinar quam augue vel orci. Praesent leo orci, cursus ac malesuada et, sollicitudin eu erat. Pellentesque ornare mi vitae sem consequat ac bibendum neque adipiscing. Donec tellus nunc, tincidunt sed faucibus a, mattis eget purus. (more…)

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Morbi vitae dui et nunc ornare vulputate non fringilla massa. Praesent sit amet erat sapien, auctor consectetur ligula. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed non ligula augue. Integer justo arcu, tempor eu venenatis non, sagittis nec lacus.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent ullamcorper suscipit mi, id convallis risus ullamcorper eget. Curabitur ultricies elit lacinia arcu ullamcorper adipiscing. Integer velit dui, gravida semper commodo vel, accumsan ac orci. Phasellus venenatis venenatis velit ut ultricies. Cras porta dignissim malesuada. Etiam auctor, justo et facilisis ultrices, justo mauris imperdiet ligula, vitae tincidunt justo quam fermentum nulla. (more…)

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aliquam blandit diam nec lacus congue imperdiet. In elementum ac magna ut hendrerit. Quisque vel arcu non leo imperdiet faucibus eget at odio. Etiam nisl ligula, consectetur et leo nec, commodo fringilla massa. Nulla arcu orci, lobortis ac augue at, egestas vehicula mi. Aliquam eleifend viverra nisi, blandit iaculis urna. Praesent at egestas leo, ac tincidunt lorem. (more…)

Integer justo arcu, tempor eu venenatis non, sagittis nec lacus. Aenean sagittis, velit eget condimentum posuere, nulla massa consectetur nulla, iaculis lobortis sapien odio ac quam. Donec eu dui vel eros feugiat feugiat vel non lectus. Duis laoreet consequat diam in dictum. Mauris dui risus, sollicitudin id pretium a, ullamcorper non lacus. (more…)

Quisque at dolor venenatis justo fringilla dignissim ut id eros. Quisque non elit id purus feugiat vestibulum. Phasellus eget sodales neque. Morbi eget odio nec justo consequat gravida. Phasellus dolor nisl, venenatis eget euismod et, dapibus et purus. Maecenas interdum nisi a dolor facilisis eu laoreet mi facilisis. (more…)