Skip to content

Categories:

Gootloader infection cleaned up

Dear blog owner and visitors,

This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 292 malicious pages. Your blogged served up malware to 0 visitors.

I tried my best to clean up the infection, but I would do the following:

  • Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
  • Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
  • Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
  • Verify all users are valid (in case the attackers left a backup account, to get back in)
  • Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
  • Run antivirus scans on your server
  • Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
  • Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
  • Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
    and Wordfence Security, all do some level of detection, but not 100% guaranteed
  • Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
  • Check subdomains, to see if they were infected as well
  • Check file permissions

Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.

Sincerly,

The Internet Janitor

Below are some links to research/further explaination on Gootloader:

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://www.richinfante.com/2020/04/12/reverse-engineering-dolly-wordpress-malware

https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html

This message

Posted in Uncategorized.


The great problems of the world do not include what to wear.

Hi everyone. I’m Andrew Buckler, and I’m so pleased you’re here.

Buckler Works is the beginning of something new – a new way to do business, a new way to take care of the world around us while we are taking care of ourselves. Buckler Works is change. Simply put, it allows us as a company to use our expertise and the power of your purchase to make a difference to those in need by partnering with charitable organizations and providing them a valuable resource to help them in their work.

How does it work? Well, for every pair of Buckler jeans purchased, we will provide 5 pairs of specially-designed Buckler Works jeans to these charitable organizations to be worn in the field. But that is only the beginning. Every pair of jeans that you buy comes with set of dog tags that contains a unique serial number. I encourage you to register at http://www.bucklerworks.com and log in with this unique serial number –  you can find out where the 5 pairs of jeans that your purchase put into service have gone, what they are doing, and even link up with the recipients and follow their stories.

If you are a field worker and recipient of a pair of Buckler Works jeans, I encourage you to log on as well, share your stories, post pictures and videos, and spread your enthusiasm for the special work you are doing and the cause you are serving.

Buckler Works is a rare opportunity for us to change the way business works; to make sure we are giving back not just money, but also the quality and know-how that make Buckler jeans so prized. Thank you for making that possible through your purchase and your participation.

All the best, Andrew

Posted in Uncategorized.