A U.S.-led operation , which included Australia, the European Cybercrime Center, Canada, France, Germany, Italy, Japan, Luxembourg, New Zealand, and Ukraine, recently disrupted a network  of 500,000 – 1,000,000 computers that had been infected by a malicious software named “Gameover Zeus.”  The botnet  was used to gain control of bank accounts and extort money from victims.  One sub-program. named Cryptolocker, had infected more than 234,000 machines.  Cryptolocker encrypted bank account files, and then the gang demanded payments for release.  More than $27 million was paid  in its first two months operating.

 On May 7th, Ukrainian authorities seized  and copied Gameover Zeus command servers in Kiev and Donetsk.  Recently, about 300,000 victim units have been reclaimed. “We took control of the bots, so they could only talk to us,” said Brett Stone-Gross, a Dell expert who assisted the FBI. On June 2nd, a criminal complaint was filed in Nebraska against Russian Evgeniy Bogachev.

Source:  Business Insider

 *   *   *

Perhaps we are fortunate that the Ukrainian officials were still independent enough of Russia to cooperate with the group of nations that conducted this operation.   At the least, this incident illustrates how important global cooperation is to secure and protect the Internet.  The good guys beat the bad guys in this case because the cooperative effort included the equipment manufacturers and a  majority of the nations affected.

 With steady vigilance and  an effective balance of government and business expertise and cooperation, we can keep the Internet free and secure.

Bill Patch  06/03/14

Our clients have found the functionality for the wordpress framework to be quite good at putting power to control content and information on their site. We also find the wordpress framework to be flexible and powerful to use as developers.That said all this functionality does come with a price. Security and file access permissions are important to set-up properly. Instructions on what to do are also vague/hard to follow.

Recently one of our clients who maintains her own site was hacked. Now you hear a lot about hacking, but most folks don’t know what that actually means. Here is a picture of the hack that was added to plugins on her wordpress site.

best pharmacy viagra

That looks like a lot of gibberish but what it is is encrypted code using a base64 encoding which a lot of software uses for non-malicious means. If we translate it we get this:

Ok more code gibberish for the non-coders, but to give a quick translation this = referring sites like facebook, google, myspace etc are re-directed from your site to another site of their choosing. This makes it hard for you to know you have been infected unless you regularly check your site from outside locations (not typing in the URL directly and instead looking at search results).

So what do you do? First off don’t panic. And really don’t panic if you have good backups. (Ok official shout-out to our friends at rackspace managed backup. We backup entire file structure for all our servers daily. Combine that with the awesome customer service we get from our Managed Backup Team, and you know why our team sleeps well at night).

First Step-Clean up the Mess

Finding whats been infected is an important first step (You need to know what needs to be cleaned.) Start with a couple of key directories:

1) /wp-content/themes/your_active_theme

2) /wp-content/plugins/All Plugins

Take a look at these directories and in particular to the last time edited time stamp. Infections will likely have been done all at one, so you will be able to discover the date you were infected. Move these directories to a safe place for now.

3) copy your wp-content/uploads directory to a safe location. This usually has files/images that aren’t as open to infections, and  you’ll want to save them in the long run.

4) Your theme’s directory is important. If it has been infected cleaning it by hand can be a laborious process. This is where backups come in extremely handy. Once you know the date of infection, restore a version of your themes directory from your backups. If you do not have backups you are left with 2 options:

a) Manually disinfect removing all malicious code. This is hard…in one file on her site she literally had 1000 different encodings which make automation difficult. You also have to be aware of restoring the file to its previous state.

b) Download a fresh theme and re-deploy your customizations. This is also hard, but you should be able to at least see your customizations in your infected theme directory to give you guidance.

5) The final step is to download and install a fresh version of the wordpress framework. Move your uploads directory and themes directory to the new fresh version, and finally re-download and install your fresh plugins.

All together if you have good back-ups the process can be done in under 20 minutes. Without backups the time to back up goes upwards of 10-20 hours.

Second Step-Security and Permissions: Or how to make this never happen again.

This is where online guides tend to get pretty vague. We at Blazing Systems are not a fan of vagueness so with two clients permissions we set-up a bit of a permissions test to find out what worked best. What we did was change permissions on two sites at different times to see what exposed the site, and what didn’t expose the site to intrusion. Here is the permissions set-up that seemed to provide the most security while keeping most of the framework functionality intact.

1) General Permissions: We want to have the framework and the majority of files outside control of apache/users. So start with changing ownership of all files in the wordpress directory to ownership of the FTP user that accesses the site:

Example: chown -R site_owner:site_owner_group /wordpress_install_directory

Next we want to change access permissions: 655 or 755 seems to be good permissions to keep these files protected.

Example: chmod -R 755 /wordpress_install_directory.

2) Specific Permissions: You still want to be able to upload files and complete upgrades. Also a lot of the functionality in wordpress will give permission errors with the above settings. So we want to open permissions on 2 directories inside wp-content

chown -R apache:apache /wp-content/uploads and chown -R apache:apache /wp-content/upgrade

chmod -R 755 /wp-content/uploads and chown -R apache:apache /wp-content/upgrade

3) Open and Close Permissions: Some themes have very cool functionality making it easy to change the look and feel of the site on the fly. These files are in your theme directory, but opening them up = exposure, plus all the troubles above. We recommend only opening and closing permissions on this directory while actively working on it, then immediately re-securing when your completed.