Yesterday for a period of about 24 hours, our website, and every page on it, was branded on Google with the dreaded “This site may harm your computer“. When we noticed the warning, we checked Google’s Webmaster tools and there was nothing there to indicate anything had gone wrong. Of course the first thing we did was rage and deny that there was anything wrong. After that we checked using Unmask Parasites tool, and yes, there it was as clear as day, a hidden iframe link to a “.to” website.
We are no security experts, but in hindsight it would have been prudent for one of us to take a course on website based security.
Of course, the first thing we did was panicked. We searched our own source code, and could not immediately see anything that was untoward. Thinking that it must have been something inside a plugin or the WordPress code itself, we immediately backed up our theme and created a fresh install of WordPress and all the plugins we were using. About 2 hours later, after we had uploaded our content directory and the nearly 100MB of images, we retested the system. The link was sill there. Thinking it was an cached error on the tool’s part, we switched to using Sucuri’s scanner. Again, that confirmed the original diagnosis.
So we had to go back to the drawing board. We imported a full version of the website, and scanned for iframes. It was only then that we noticed our header had been modified to include code like this;
Straight away you can see that something is not right, and in amongst the code above, was our malicious iframe. It appears the attacker was using the iframe to call a kwizhveo.php page at some spoofed Google domain. As soon as we removed that file we knew we would have solved the symptom, but not the problem itself. Obviously, somehow, someone had made changes to the template files on our server.
Get to the Cause
After doing some searching around on the web, we found the problem was that our WooThemes framework held an old version of TimThumb, which was originally compromised. Being that the framework has been changed by us a lot, and it is not easy to update, nor had we been notified of the compromise by WooThemes, there had never been an update. The hackers used a flaw in the security of TimThumb to fake an uploading domain. Once inside they could make whatever changes to the code they wanted. So we had to update our framework as well, and make sure the latest version of thumb.php was installed as well.
You should also look for any references to basecode64 and remove those.
Start Again, but Harder…
When we realised the extent of the problem, we knew we had a to do a full upgrade to the system and start from scratch. We added fresh installs of everything, including the template. Then we scanned our site, and got a clean bill of health. 5 hours after we started the process, we had to address the problem of the Google Malware warning. Using Google Webmaster tools, we registered a request to have the warning removed.
The main lesson here is, the only way to be sure you have got everything, is to do a completely fresh install of everything. We managed to keep the database, but there are others who have not been so lucky.
How Long Does it Take for the Warning to Go Away?
From us sending in the request to the Malware warning being removed took less than 8 hours. In all we lost almost a full day of traffic from Google, which is about 50% of the total. Only two clients noticed the problem, but we had to send out a warning to most of them, letting them know of the compromise, so in the end they all found out. We have learned a lot about what is considered secure on the web (nothing) and what is vulnerable (almost everything).