Main Content RSS FeedLatest Entry

Gootloader infection cleaned up

Dear blog owner and visitors,

This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 297 malicious pages. Your blogged served up malware to 741 visitors.

I tried my best to clean up the infection, but I would do the following:

  • Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
  • Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
  • Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
  • Verify all users are valid (in case the attackers left a backup account, to get back in)
  • Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
  • Run antivirus scans on your server
  • Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
  • Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
  • Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
    and Wordfence Security, all do some level of detection, but not 100% guaranteed
  • Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
  • Check subdomains, to see if they were infected as well
  • Check file permissions

(Addtionally your site was serving up spam, via a tool called black wordpress dyndoor/light grey dyndoor sold by n1oise. I cleaned that up as well)

Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.

Sincerly,

The Internet Janitor

Below are some links to research/further explaination on Gootloader:

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://www.richinfante.com/2020/04/12/reverse-engineering-dolly-wordpress-malware

https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html

This message

Recent Entries

After Dragon Con 2014

Hello everyone!

We will be re-stocking the stores now that Dragon Con is over. Claire has already updated her Claire Bear Bows Etsy shop. The two UpDown Studio stores will be updated very soon.

New Stuff

Hi gang,

Greg here… I’ve started a blog at thisisgregcarter.com to be a hub for all of my creations. Hop on over and see what’s going on.

Claire has her own site as well, Sugary Planet.

Ten Years of UpDown Studio!

Looked it up and UpDownStudio.com has been online for 10 years as of January 26, 2012. Wow! I’ll publish a 10th Anniversary comic/art anthology if anyone wants to contribute? Also reprint anything we’ve done before. Also also get your comics on Graphicly. Just let me know who’s interested. Old/current/new members. Time for a resurgence of UpDown Studio!

Cute bows!

Check out ClaireBearBows on Etsy! Very cute stuff. If you’ll be at Dragon*Con check out the UpDown Studio table in the Comics and Pop Art Artist Alley. We’ll have a whole bunch more there.

Shop UpDown Studio

The UpDown Studio Shop is open! There’s still lots more stuff to come and it’s not quite 100% designed yet, but feel free to take it for a spin!

MomoCon – Atlanta, GA – March 12-13, 2011

Greg Carter and Elliot Dombo will be at MomoCon in Atlanta, Georgia this coming weekend March 12-13. 2011. We will have Love is in the Blood #1-3, Strawberry Death Cake #1, Perfect Agent #1-3, Worked to Death, buttons, t-shirts, and more.

We hope to see you there!

Worked to Death

Worked to Death comic cover

Worked to Death
(Writer) Greg Carter (Artists) Gina Biggs, Emily Brady
Inspired by songs of the working man, writer Greg Carter presents two tales of giving it your all. Emily Brady provides the art for “Cowboy”, showing that cattle drives of the 1800’s were not so different 2,000 years ago. “Uniform”, with art by Gina Biggs, is the story of a soldier taking care of business by doing what he loves.
20 pages | COLOR | $3.99

Visit the creator’s websites:
Greg Carter – Love is in the Blood, Perfect Agent
Gina Biggs – Red String
Emily Brady – Footloose

Order a copy from IndyPlanet! Or save shipping and have your local comic shop order a copy from Haven Distributors. Give them the code WORDUPD001.

And find out more about the full WORK! anthology HERE.

UpDown Studio brings the comics!

You want comics? We got comics! Follow the links below to read them free on the web.

Love is in the Blood

Perfect Agent

Strawberry Death Cake

Bear Island Adventures

Cthulhuvida

Due North

Terrar