A few days ago, I wrote on Facebook that I’d invested a significant amount of time in scraping malware hackers off several websites that I run and operate. I had found, through a Google search, a shell script that someone had developed to scan through your site’s files and uncover any malicious code left behind from the malware. Trouble was, the script was out of date because the malware virus had mutated so that the code the script was looking for was different than the code being left behind by the current version of the malware.
So, I had to reverse engineer the script to update it with the proper parameters, and run it again against my site files. And doing so did turn up some malicious code and corrupted data, which I repaired, and I cleaned up the database from all the content insertions the malware left.
But I wasn’t sure I had all the backdoors. The shell scripts I’d found didn’t seem to me to be thorough enough, so I held my breath while I waited to see if the hackers would be back in. And of course, they were. Not two days after cleaning everything up, I found that they had once again inserted nearly 20,000 rows of content into my database.
It finally occurred to me to look for a security plugin for my site. And there are quite a few good ones out there. Since I already power most of my websites with the Jetpack plugin, and it turns out Jetpack has the Protect module available for purchase, I figured I’d give that a try to protect my site and find any lingering vulnerabilities. And with the first scan, I discovered several open backdoors, line of malicious code, and suspicious files. Those files have all been patched up now, and with any luck, the hackers have been permanently pushed out of the system.
