After Action Report on my Hacked WordPress Fixvirus.com

I received a LinkedIn message on Monday (from a good friend of mine Leland) and after a couple of messages (first Leland thought I was doing some kind of test – his initial message asked if I was security testing with a casino link)

Then late in the evening he sent this:

lelandlinkedin message

 

Notice the important line: FF 36 on Linux … JavaScript blocked.

So he used a Linux system which was blocking the Javascript  hacking code on his machine.

 

This is what the site looked like on Monday:

oldfixviruspage022015

Sorry for the size, but I wanted to show the complete page and look on my Firefox  private window. do you see the little tiny black dot on upper left of the page?

That was the Javascript (I believe) that Leland(Omnitec Corporation) bumped into and I could not see from a Windows environment.  Leland is a good friend to have gone and bothered to contact me, but I have known him for many years, and this kind of detailed constructive comments are typical.  Am also watching his Youtube video from the NagiosCon right now: http://www.youtube.com/watch?v=jmxOCXkSfEc

 

 

I make a big deal about this, because an honest assessment is worth gold in this world.

 

So with this information I decided to make the switch final, as I had been thinking of moving my site anyway.  I had been having some problems with my (now) old hosting company 1and1.com, The company was going to a simpler user interface over the years (was a customer with 1and1.com since 2009)

When I set up Oversitesentry.com I did not add to 1and1.com instead moving to a different host provider inmotionhosting.com, which is where this site is located. I am used to “complex” IT configurations, and in fact know and have used cpanel etc.

Well, cpanel was removed as an option sometime in 2013 at 1and1.com I think.  So I have been thinking of moving for a while, and was testing an additional wordpress site on inmotionhosting.com,  so I took all day yesterday (woke up at 4am) and moved the site 1 post at a time. I copied and pasted from a new base WordPress install instead of trying to move the database, since I was not sure where the hack was in the WordPress install.

closeupofdothackedsite

Notice the little dot which I blew up here and placed a large arrow.

 

I have always wanted to see a hacked WordPress site as an example, so I suppose I got my wish…   I have copied the site files etc from the now old hosting company.

 

In the late afternoon I went to my registrar and pointed the name servers to the new company (ns.inmotionhosting.com and ns2.inmotionhosting.com) Once the site was operational the way I wanted it at http://www.fixvirus.com 

 

Interesting to note here, what used to take a weekend or 12-48 hours to move a domain from one hosting company to another, now takes only a couple of hours.  The old servers are receiving only a trickle of email (using the old DNS ip addresses) as of noon.  By tomorrow I should be able to pull the plug on the old site altogether.

 

So 2 lessons here, use a Linux system with javascript off and in general use many different devices to look at your WordPress pages. and have someone look at your site, as you may just not be finding something that you may look at many times over and over.

Just like what we recommend

on Twitter @fixvirus  with our hashtag #testforsecurity

 

A hacked WordPress  code is supposedly difficult to find, so I took the other route and just migrated my site off one hosting company to another.

 

In the future I am installing a Sucuri plugin and making backups more often. Now I have a clean backup with the current 100 posts and 15 pages.

 

The backups will be easier to manage on the new hosting company.

 

Let me know how I can help http://oversitesentry.com/tonyz/pubhtml/fixvirus/contact-us/

A future project will be to reload the infected site on a test platform and check for the hack code.

 Contact Us

Updated 3/19/15 – made some minor edits