Oct 152011

A couple things I noticed on this blog today, that are residual from the malware attack: the in-post images are broken, the contact form doesn’t work, and I can’t access the plugins page from the WordPress dashboard. I think my WordPress install is a little confused about where the files are located. All these things need to be straightened out. But I did figure out how to get the Page menu to show up. That’s a plus. Obviously, I can post, and that’s also good.

Other problems in my life include back steps that are falling in (I got an otherworldly estimate yesterday that is totally beyond my price range), and a furnace that is inoperable due to the foot of water I had in my basement in July. I applied for disaster aid and was accepted but I guess everybody is waiting on federal money. In the meantime, last night was pretty chilly. Not intolerably so, and we do have electric $paceheaters, but I’m starting to think the feline members of the household are going to have to cuddle up in our absence.

The Dubuque Novel Writers group has temporarily imploded. I just got another terrific book on writing groups in the mail yesterday, The Writing Group Book: Creating and Sustaining a Successful Writing Group by Lisa Rosenthal. I still have a couple writing prompt responses to post, that I wrote at meetings. Here’s one of them:

Describe a setting as if it were a character in a story.

A grungy blue dustpan lay straddled over a half-removed pile of dust and bat droppings, with a push broom thoughtlessly dropped nearby. The ceiling sagged with many years’ leaks, trailing fringes of gold insulation onto the attic floor. Wide seams between ancient floorboards gaped silently, awaiting the next rare footsteps. The whole noiseless attic wore an express of carelessness, waiting without impatience or expectation for what might enter next.


So, about the time I was feeling smug about my sleuthing as reported in my previous blog entry, I realized with alarm that the site had gotten away from me. The virus or malware, whatever it was, regenerated itself in my WordPress site despite my efforts to remove it. Somehow, somewhere, my password had been compromised or a sinister plugin had hatched a backdoor. The only cure was to take down the site entirely.

With trepidation, I used one of the tools I found in the WordPress interface to back up the data. It created a file with a strange .gz extension. Fearing the loss of months of writing, I also copied and pasted the text of the first half-dozen most recent blog entries. Not hardly enough, I realized later. Dismantling the site was deceptively easy. Just click “deactivate” in the file manager, and POOF! Strange how a couple of folders in the subdirectory refused to be deleted. Hmmm.

Probably for that reason, I had the odd problem of not being able to reinstall the blog in a subdirectory of the same name as the compromised one. I had to give the location of the new install a different name. Not good, for linking integrity. But better a blog with a zillion broken links than a virus-compromised one that’s been driven offline by malware.

Restoring the database was not simple sincethese instructions were useless to me — I’m gonna type “user@linux” gobbledegook, etc? Yeah, right. I mulled over the daunting technical problem for a few days and finally determined I’d call my hosting service for help after another stab at it.  In the meantime, I thought it better not to log in at all on my other WordPress blog. And I did a complete virus scan on my main computer at home and also ran the Windows Malicious Software Removal tool.

I ended up finding the answer in Yahoo web hosting’s help files. I needed to install a “dashboard” in my blog’s MySQL database, which is the bunch of files and tables that the PHP commands in WordPress write to, and after that was accomplished, I could use the .gz backup file to restore my blog.

I still can’t believe I figured it out, or that it actually worked. Then after this unexpected success, I tried again to put the blog back in the prefered blog directory, instead of the renamed one. And that worked too! Almost fell on the floor with relief! A few details still remain to be worked out, such as the dropdown menu, which is quirky/invisible now. However, the virus that was redirecting my site to spammy sites is eviscerated — thank goodness.

Believe me, my passwords have been changed several times and are far longer now. I am also much more skeptical about new WordPress plugins or software/plugin updates of any sort. And I’ve started surfing the Internet with a Firefox plugin called NoScript, which gives a notification about every single piece of javascript or java on a web page so you can allow to run only those you really want. True, it’s a little bit intrusive, but the web is far faster now, and the browser doesn’t hang up like it used to. And I feel more secure.

I just can’t figure out why someone would be so skewed toward their own greedy ends that they’d devise a malicious method to turn other people’s websites into robot drones, feeding traffic to spammy sites that nobody but the most easily deceived will click on, anyway. Horrid selfish evil greedy bent programmy types. More of you warped souls need to follow the Google Code of Conduct: Don’t be evil. God needs to make more people community minded in this world. Altruism is a sign of higher development. Being deliberately scummy for your own financial ends is just plain wrong. I wrestled my website back from where it had gone over the brink into the darkside. Yayyy, me.


I noticed, starting about 2 weeks ago, that the Google Analytics traffic for this WordPress site had dropped dramatically. I finally realized that some hacker had gotten in and that my blog was being forced to redirect to an assortment of spammy sites. No wonder Analytics showed zero traffic – at the moment of the page loading, visitors were being redirected elsewhere. How annoying. The status bar at the bottom of the browser flashed with a slew of irrelevant websites. Whoever found my site was booted mysteriously toward some worthless SEO-exploiting junk in windows that they probably closed immediately, leaving my blog posts unread. I lay awake this morning trying to figure out what step I should take next.

I’m no programmer. First, I changed my password, twice, and also deleted an alternative admin account. While some WordPress sites have gotten hacked via vulnerabilities in an image handler called Tim Thumb, my theme doesn’t seem to use it. This blog uses the Suffusion theme, which in my mind is one of the best out there, and I’ve tried other themes, some in great frustrating depth. I can recognize its awesomeness and want to keep it. I thought maybe it would be wise to update to the latest version, which I did. Did the malware come with the latest upgrade? Doubt it, and after all, my website traffic had been flat for two weeks.

I thought about how web page redirects happen. I’ve created them myself in the past, by pasting code into the header. So I took a close look at my blog’s page source code, doing a simple text search for script. The code that was labeled to be Google Analytics looked extremely weird, so I checked it against the actual Analytics code (had to read through Help to figure out where it is non-intuitively hidden on the the Analytics dashboard), and it was actually correct. While I was inside Google Analytics, I tried to figure out on which date, exactly, the site traffic had nosedived, and I narrowed it to a 2-day time span. I was embarrassed the site had been out of commission so long. Golly, I really need to look at my own website more often.

Back on the page source of my main blog page, there were two other javascripts I didn’t recognize. They didn’t contain any content between the opening and closing script tags, only pointing toward the javascript files. I jotted down the file location  — they were both in the wp-includes/js folder. Then I opened the file manager on my website host to discover that the dates on those same two files had been last changed about the date that my site was hacked. All the other files in that folder showed a last modified date of several months earlier. I think I found ‘em! Now what should I do?! The idea of deleting anything was unnerving, considering that the whole PHP/WordPress setup is a huge web of files, most of which, as a non-programmer, I’m clueless about.

I paused right there and Googled one of the file names — l10n.js –  to try to find answers. The second questionable javascript file was named jquery.js. With luck, I stumbled into this thread (I wrote a response there but have already been chastised for being off topic), in which one commentator recommended the free site malware scan at sucuri.net. I tried it, and surprise! It  identified those very two js files as being malware. Finally, I had the guts to delete. And guess what? The site’s back online without redirecting to some crappy search engine-fooling nonsense, and Google Analytics is showing visitors again! Now, I hope to keep it that way. Some days, when a challenge is mastered, are good days.

Blog content by @CreativeDubuque.com
© All rights reserved. Please do not duplicate text or photos without permission.