Hello Dear SEO 2.0 Readers!
Unfortunately the SEO 2.0 blog has been compromised yesterday along with other sites on my server. The purpose of the attack was to spread malware.
In case you have visited the SEO 2.0 blog or onreact.com in the morning or during daytime of April 6 your computer might have been infected with a trojan.
Have you seen the following error on SEO 2.0?
“Parse error: syntax error, unexpected ‘<’ in /kunden/onreact.com/webseiten/seo2.0/wp-includes/default-widgets.php on line 1034″
Then your system might have been compromised as well. As onreact.com itself was infiltrated as well but showed no error message not seeing the message does not mean your system is clean.
I will try to explain the attack and how you can clean your computer and protect yourself. I am not a computer security expert to trace the attack completely and explain it very accurately but I’m Web savvy enough to deal with the attack.
It seems the attack was not possible due to a WordPress security leak.
It seems an ages old version of an FCKeditor on my server was the exploit the attackers used to insert the malware code.
- The malware code was a JavaScript inserted into all files containing “index” in their names and all files with .js ending.
- The JavaScript code inserted a hidden iframe into my websites.
- The hidden iframe executed a script that attacked your browser (here Firefox) via outdated Adobe Reader or Adobe Flash plugins.
- It then loaded a trojan on your computer using those plugins.
- The purpose of the trojan was most probably to or to load other malware onto your system.
- The trojan might have been also able steal your passwords, especially FTP passwords to infect your server as well.
What can you do now if you think you might have been a victim of this attack?
- Download Malwarebytes’ Anti-Malware and run a scan on your computer. In case it is infected remove the trojan.
- Uninstall your Adobe Reader and Adobe Flash plugins. Install the latest versions after the next startup of your browser.
- Check your websites for suspiciously looking cryptic JavaScript code. Especially the index and .js files.
- Check your files on the FTP for latest timestamp and try to remember whether you actually have updated on that date.
- Change your FTP password to make sure nobody can use it without your permission.
- Delete or update all of your outdated software on your server. Old CMS versions, counters and other scripts.
For additional info and a deeper understanding of the issue plus an additional server removal tool read the following resources:
- syntax error on default-widgets.php file
- Quicksilver Malware Network
- Gumblar-family virus removal tool
Related posts:
- How to Remove utm_source & Other Parameters From Your URLs
- 10 Coding Guidelines for Perfect Findability and Web Standards
- 7 Stealth Publish for WordPress Uses to Consider
- Change has come to WhiteHouse.gov – When will it come to your Website?
- The Only 7 WordPress Plugins Business Bloggers Need
Need help? Consider a world class blog & SEO consultation by the author of SEO 2.0, Tad Chef. For full fledged SEO services like ongoing link building, contact my partners from SEO.com or look up my directory of SEO service providers and checkout reputable companies like Datadial or Redfly.
Already an SEO? Consider applying to be added to my exclusive SEO agency directory. Only selected companies get included. Find out whether you are eligible to submit your site.
This thing has 9 Comments
Aha!I was wondering where on earth that came from. I couldn’t understand how both my work and personal laptops had been infected when my browsing habits were safe/normal. At least I know now because it was really bugging me, and my fiance was getting suspicious of what I’d been doing when she wasn’t round… :)
Ouch James! That’s awful. Could you clean up the mess? In case not contact me to assist you. You can chat with me here: http://nur.ph/aq2uii
Hey tad. Yeah I’m all good. A friend from work was able to help me clean it out with little fuss. So no problems now.
Glad to hear James. I don’t want to see my long time readers to get harmed by this blog.
Glad you gave me a hint! I was here two weeks ago and I’m happy to say I wasn’t affected.
JS: Glad to hear that you’re OK. I assume that you use Linux or Mac OS. Otherwise tell me which antivirus software you use. It must be a good one.
Oh! That will be a hint for us. Glad you’re OK and glad that you’ve shared it also for us to be informed too.
Was that on the 16th April by any chance? I had the exact same thing with one of my sites overnight on the 15th/16th April. One of our competitors also had it at the same time. Seems there is a lot of it going on right now
Hey Steve, it was on April, 6 as said in the article. I think this hack is spreading all over the place and will haunt wenmasters for some time so being hit 10 days later was no wonder.