分类目录Uncategorized

Gootloader infection cleaned up

Dear blog owner and visitors,

This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 389 malicious pages. Your blogged served up malware to 7857 visitors.

I tried my best to clean up the infection, but I would do the following:

  • Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
  • Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
  • Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
  • Verify all users are valid (in case the attackers left a backup account, to get back in)
  • Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
  • Run antivirus scans on your server
  • Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
  • Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
  • Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
    and Wordfence Security, all do some level of detection, but not 100% guaranteed
  • Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
  • Check subdomains, to see if they were infected as well
  • Check file permissions

Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.

Sincerly,

The Internet Janitor

Below are some links to research/further explaination on Gootloader:

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://www.richinfante.com/2020/04/12/reverse-engineering-dolly-wordpress-malware

https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html

This message

杜塞多夫市打造中国街

 

杜塞尔多夫是德国北莱茵—威斯特法伦州(简称北威州)首府,位于莱茵河与杜塞尔河汇流处,是德国西部重要的经济、金融中心,水、陆、空交通枢纽。投资落户杜塞尔多夫的中资企业近几年呈现迅猛增长之势,包括五矿、中兴、中国银行、华为、武钢等大型企业都在杜塞设立了分支机构。

华人在德人群结构也在发生变化。一方面是在德国出生、长大融入当地社会的华侨华人;另一方面是越来越多的新移民和旅德中国人。他们中不乏各领域专业人士,从事律师、医生、设计师等工作,很多人都获得硕士和博士学位。在经营业务的变化上,除了传统的餐饮等行业,华人也开始经营旅店、开展进出口业务、保险、会计师事务所、专卖店、免税店等各项业务,甚至涉足高科技等尖端领域。

随着中国的崛起,华人社会地位会不断上升。在这种背景下应运而生的中国街规划旨在树立新的形象,赋予新的功能。打造区域华人社会的中心、中国商品集散地、华人社会新兴产业区、与中国交往的行业聚集区和当地的观光旅游区。同时还应成为华人团结协助,参政议政的社区中心。

法兰克福中国商贸城

 

占地面积40,000.00平方米,建筑面积20,000.00平方米,拥有120间商铺的华人商户汇聚的商品批发集散地。经营范围包括:服装、 鞋 帽、饰品、玩具、皮革、电子产品和工艺品等,是欧洲著名华人批发市场。