Something Very Strange Just Happened

I don’t have time to get into it now, but I have reason to believe that this blog has either been hacked or is infected with something.

I’m not 100% sure, and I could very easily be mistaken, as my understanding of WordPress isn’t perfect. But some key files have been modified to include some obfuscated javascript that caused the site to stop functioning. The offending scripts have since been commented out, but those are only the ones that I could find. Ten minutes on Google turned up nothing, so until I can find some time to understand what these scripts are and where they came from, I would operate under the conclusion that this blog compromised. Use your own best judgement as to what changes in behavior (if any) that entails.

If I discover any more disturbing signs, I may need to pull the blog down. This will be done without warning.


10 Comments

  1. DarkIcon, May 28, 2010:

    The problem is worse than I originally thought. The entire site is infested with malicious javascript.

    TURN OFF JAVASCRIPT IF YOU ARE READING ANYTHING ON DARKICON.COM.

  2. nate, May 28, 2010:

    Man, that sucks! Good luck with the repairs, but don’t waste the holiday weekend on them.

  3. DarkIcon, May 28, 2010:

    Unfortunately I already have prior engagements to waste my weekend on. I don’t have much time to spend on this even if I wanted to, which I don’t.

    Even MORE unfortunately, I seem to have narrowed down the source of the infection: MY HOME COMPUTER.

    I’m still unsure as to what this javascript is doing, but fixing the site just became an even lower priority.

  4. DarkIcon, May 28, 2010:

    The Good news is that this will be relatively easy to remove from the site. None of the files on my computer were infected.

    The Bad news is that this will probably take a while, including time to change all of my passwords. Easy != Quick. I won’t have to spend any time figuring out WHAT to do, but I don’t have time to actually DO it right now.

    A bit of advice: NEVER use an FTP program that “conveniently” saves your passwords for you. My computer got infected last night. It was an infection that I actually SAW and fixed at the time, so it was no big deal. But in the few minutes that it was active, it apparently swiped my FTP passwords and either emailed them to someone, or used some sort of automated process to modify every javascript file or index file on every web server that I have access to.

    At this point, I still don’t know what the javascript does, but it is probably just reproducing/spreading the original infection. So if you visited this site with javascript on and you use any kind of FTP client software, you might want to check any sites to which you have access.

  5. nate, May 28, 2010:

    It’s all gibberish to me, but it sounds like it’ll be relatively easy to correct once you get the time. I’m glad to hear that, and I’ll be back next week for hopefully more on the story.

  6. DarkIcon, May 28, 2010:

    test

  7. DarkIcon, May 28, 2010:

    test again

  8. DarkIcon, May 28, 2010:

    Okay, it looks like this blog is clear of malicious javascript. The rest of darkicon.com, however, is NOT. I’ll post updates as needed.

  9. DarkIcon, May 28, 2010:

    test yet again

  10. DarkIcon, May 30, 2010:

    The rest of the site should be free of malicious javascript now.

Leave a comment

You must be logged in to post a comment.