{"id":417,"date":"2022-02-27T11:34:22","date_gmt":"2022-02-27T16:34:22","guid":{"rendered":"http:\/\/thinkstick.dreamhosters.com\/2022\/02\/gootloader-infection-cleaned-up\/"},"modified":"2022-02-27T11:34:22","modified_gmt":"2022-02-27T16:34:22","slug":"gootloader-infection-cleaned-up","status":"publish","type":"post","link":"http:\/\/thinkstick.dreamhosters.com\/2022\/02\/gootloader-infection-cleaned-up\/","title":{"rendered":"Gootloader infection cleaned up"},"content":{"rendered":"<p>Dear blog owner and visitors,<\/p>\n<p>This blog <u>had been<\/u> infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up <b>290<\/b> malicious pages. Your blogged served up malware to <b>19<\/b> visitors.<\/p>\n<p>I tried my best to clean up the infection, but I would do the following:<\/p>\n<ul>\n<li>Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)<\/li>\n<li>Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)<\/li>\n<li>Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.<\/li>\n<li>Verify all users are valid (in case the attackers left a backup account, to get back in)<\/li>\n<li>Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords<\/li>\n<li>Run antivirus scans on your server<\/li>\n<li>Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your \/etc\/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute<\/li>\n<li>Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it<\/li>\n<li>Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,<br \/>\nand Wordfence Security, all do some level of detection, but not 100% guaranteed<\/li>\n<li>Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)<\/li>\n<li>Check subdomains, to see if they were infected as well<\/li>\n<li>Check file permissions<\/li>\n<\/ul>\n<p>Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. <b>PLEASE<\/b> try to keep it up-to-date and secure, so this does not happen again.<\/p>\n<p>Sincerly,<\/p>\n<p>The Internet Janitor<\/p>\n<p>Below are some links to research\/further explaination on Gootloader:<\/p>\n<p><a href='https:\/\/news.sophos.com\/en-us\/2021\/03\/01\/gootloader-expands-its-payload-delivery-options\/'>https:\/\/news.sophos.com\/en-us\/2021\/03\/01\/gootloader-expands-its-payload-delivery-options\/<\/a><\/p>\n<p><a href='https:\/\/news.sophos.com\/en-us\/2021\/08\/12\/gootloaders-mothership-controls-malicious-content\/'>https:\/\/news.sophos.com\/en-us\/2021\/08\/12\/gootloaders-mothership-controls-malicious-content\/<\/a><\/p>\n<p><a href='https:\/\/www.richinfante.com\/2020\/04\/12\/reverse-engineering-dolly-wordpress-malware'>https:\/\/www.richinfante.com\/2020\/04\/12\/reverse-engineering-dolly-wordpress-malware<\/a><\/p>\n<p><a href='https:\/\/blog.sucuri.net\/2018\/12\/clever-seo-spam-injection.html'>https:\/\/blog.sucuri.net\/2018\/12\/clever-seo-spam-injection.html<\/a><\/p>\n<p><a href='gootloader.html'>This message<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dear blog owner and visitors, This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 290 malicious pages. Your blogged served up malware to 19 visitors. I tried my best to clean up the infection, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[32],"tags":[],"_links":{"self":[{"href":"http:\/\/thinkstick.dreamhosters.com\/wp-json\/wp\/v2\/posts\/417"}],"collection":[{"href":"http:\/\/thinkstick.dreamhosters.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/thinkstick.dreamhosters.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/thinkstick.dreamhosters.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/thinkstick.dreamhosters.com\/wp-json\/wp\/v2\/comments?post=417"}],"version-history":[{"count":0,"href":"http:\/\/thinkstick.dreamhosters.com\/wp-json\/wp\/v2\/posts\/417\/revisions"}],"wp:attachment":[{"href":"http:\/\/thinkstick.dreamhosters.com\/wp-json\/wp\/v2\/media?parent=417"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/thinkstick.dreamhosters.com\/wp-json\/wp\/v2\/categories?post=417"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/thinkstick.dreamhosters.com\/wp-json\/wp\/v2\/tags?post=417"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}