Category Archives: Incident

What To Do If Your WordPress Site Is Infected By pub2srv.com Adware

This site was infected by adware between end of August 2017 and 26 October 2017.

What happened

I realized something was wrong when I visited my own site this morning and discovered that there were popup and redirection when I clicked on anywhere on the page.

The Evil Adware

The Evil Adware

Also, when I checked the analytics of the site, there were practically no visitors since the beginning of September 2017.

Zero Visitor Since September 2017

Practically Zero Visitor Since September 2017

Investigation

I run a test using pingdom tool (you can see the scan result by clicking the link) and confirmed that my WordPress site was being infected by adware.

Here are the findings:

pub2srv.com

pub2srv.com

mobisla.com

mobisla.com

deloton.com

deloton.com

Some unknown scripts were being injected into the site.

  • http://deloton.com/apu.php?zoneid=1063894
  • go.pub2srv.com
  • http://go.pushnative.com/notice.php?p=628268&interactive=1&pushup=1
  • go.mobisla.com

Root cause analysis

When I tried to scan my WordPress installation folders on the server for files that contain “pub2srv.com” keyword I found nothing.

The hacker is good at playing hide-and-seek.

With help from Google, it turned out that the malicious code was hidden in multiple files located in the <WordPress installation path>/wp-includes/ folder.

Here is the list of the infected files:

  • wp-feed.php: contains a list of IP addresses
  • wp-vcd.php: contains a compressed malicious installation program
  • class.wp.php: contains SQL injections and cross-site scripting
  • post.php: contains the reference to wp-vcd.php

Here is the sample content of class.wp.php:

The above code is adding/injecting user to the database.

It is also loading content from http://www.aotson.com/codexc.txt which contains the following instructions:

The hacker is able to target specific infected site by changing the path remotely via http://www.aotson.com/codexc.txt Pretty clever and super evil.

It is capable of spreading itself to all the WordPress sites across different domain names that are hosted under my user account.

More detail can be found here: wp-vcd.php malware analysis.

Lesson learnt

It is clear that the root cause was due to me installing untrusted WordPress themes on my site.

The infection occurred at an earlier date than mid-August based on the evidence from the backup that I have.

However, the symptom of unusual slowness and trouble only appeared towards the end of August.

Solution

Here is an article on how to remove pub2srv malware to learn more about the adware/malware.

Here is the detail of other people who were also facing the same issue.

I installed the Anti-Malware Security and Brute-Force Firewall plugin and run a scan. 254 files, which were affected, were removed after the scan.

I updated the my WordPress theme to the latest version.

I reinstalled the WordPress version 4.8.2.

I also updated the login password.

I also updated the server user login password just in case.

Final thought

Maintaining a website is similar to maintaining my health. I need to monitor it regularly to avoid temporary death from happening again.

The site is as good as dead for the past two months.

I realized that cyber risk is a real threat that could impact a lot of people. Infected site is capable of spreading virus to innocent visitors and might cause serious damage to them.

It is important to keep the information systems secured so that I will never encounter similar incident again. Here is a self-study guide CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide that contains information on how to maintain security in a world that is surround with cyber risks. Grab a copy if you are interested.





MacBook: When Disk Utility Can’t Repair Your Disk

Apple MacBook is idiot-proof. I proved this myself.

The incident happened on my unlucky Friday morning, 29 January 2016, where there were some updates available for my six-year-old MacBook Pro. I was supposed to upgrade from OS X Yosemite 10.10.5 to the new OS X El Capitan 10.11.3.

I clicked “upgrade” from the App Store and waited for the laptop to restart. I walked away for some drinks and came back. Everything seemed normal until this point where my stupidity changed the course of the event. When I saw the laptop was shut down (it was actually in the process of rebooting), I pressed the start button to turn the laptop on.

That was when the trouble began. The MacBook Pro was not able to boot correctly. It stuck at the boot screen with (approximately) 50 % in progress forever. I waited 6 hours before I tried to reboot after reading from the internet that Apple MacBook is smart enough to resume the update or upgrade anywhere it left off. So I tried again in the evening (by pressing the start button twice, first long press to shut down, then to boot) and let the laptop booting for the whole night.

The next morning, it was still stuck at 50 % in the startup process (after more than 12 hours of booting). I realized that my situation was different from the others who had the “same” problem. Mine was definitely a different case where something was corrupted (I suspected) because I pressed the start button exactly when the laptop was about to restart.

Recovery Mode

I searched online and found some useful short-cuts to get into different modes while booting a MacBook.

Note: From my experience, in order to enter the different modes successfully, you need to press and hold the key combinations after the white backlight lights up on the screen and you can release them after you see the Apple logo appears during the startup process.

I tried Command-Option-P-R to reset NVRAM: It did reset the NVRAM because I observed that something restarted after I pressed those keys. However, the booting process still hung at 50 %.

I tried Shift ⇧ to enter Safe Mode: I was not able to enter safe mode at all even after waiting for a long time.

I tried Command-S to enter single-user mode: I could enter this mode (with a bunch of texts on the screen), however, it stuck at the place where it needed access to “Macintosh HD”. So I never successfully try anything in this mode.

I tried Command (⌘)-R to enter OS X Recovery mode: After successfully entered this mode, I was offered several options.

Mac Recovery Mode

Mac Recovery Mode

In recovery mode, you have the following options:

  • Restore From Time Machine Backup
  • Reinstall OS X
  • Get Help Online
  • Disk Utility

The first option “Restore From Time Machine Backup” was not useful because I didn’t have any backups from Time Machine.

The last option “Disk Utility” was where I spent the most of my time trying to rescue my old laptop.

Disk Utility

From the Disk Utility interface, I saw that the “Macintosh HD” was greyed out.

I tried almost all the combinations I could think off with the options offered by the Disk Utility to rescue “Macintosh HD”. At first, I thought to myself I needed to perserve my existing data. After trying many different combinations of “solutions” (mount “Macintosh HD” disk, verify and repair “Macintosh HD” disk, restore “Macintosh HD” disk to external drive, etc). All failed.

At some point, I came across this interesting article which states that by keep on repairing the disk N times (with N large enough), it could work. But it didn’t work for me.

I even tried with bash script: “for ((c=0;c<25;c++)) do diskutil repairVolume /dev/disk0s2; done;" Note: disk0s2 is the identifier for “Macintosh HD” drive. Run “diskutil list” on terminal to find out.

All the time I was getting:

“Error: -69845: File system verify or repair failed
Underlying error: 8: POSIX reports: Exec format error”

I was convinced that “Macintosh HD” was corrupted and dead.

Reinstall OS X

Since I was having no success trying to backup my data, I gave up doing it. The idea then was to reinstall OS X on “Macintosh HD” drive, hence potentially overwriting all my files. I was ready to erase and repartition “Macintosh HD”. This failed too. The disk was in really bad shape I thought to myself.

By consequence, the disk didn’t show up as an option when I tried to reinstall OS X. The whole day passed with no progress.

USB Drive to the rescue

The next day, I had no choice but to install the OS on external drive. I choose the cheapest option: USB drive (at least 15 GB of storage else OS X won’t install).

USB Drive 32 GB

USB Drive 32 GB

It took at least 6 hours to download the OS and install to the USB drive. At first boot, everything was so slow. The runtime experience was really bad. But I notice one thing when I opened System Preference > Startup Disk, I saw the following:

Macintosh HD is alive

Macintosh HD is alive

I saw something unbelievable: the “Macintosh HD” that I thought was dead is now available as a start up disk. Sure enough, after I selected it as the startup disk and rebooted, everything is working as normal again! My data is not lost.

Unbelievable.

USB drive that saved my MacBook

USB drive that saved my MacBook

Final thought

When Disk Utility can’t repair your disk, reinstall OS X on an external drive and see if your data is accessible again.

Dengue Fever and Its Treatment

This is a record of me getting dengue fever and getting admitted to the hospital. The whole process is recounted here as a reference for others interested to understand more about dengue fever and its treatment. The story began about 3 weeks ago.

September 23, 2014, Tuesday: After having lunch with colleagues at a Thai’s restaurant, I started feeling uncomfortable with my throat in the afternoon. That night, I couldn’t sleep well, I had a serious sore throat. My throat was burning and it felt dry. I woke up in the middle of the night and took a medicine (Ernest Jackson MAC Dual Action Blackcurrant flavour, Hexylresorcinol, similar to Strepsils) that I bought from pharmacy some time ago and kept it in my mouth and went back to sleep. It lasted until I woke up around 0530 in the morning.

September 24, 2014, Wednesday: My sore throat became better while at work in the office. But starting at noon, I had mild pain all over my body, legs, especially my back and I had migraine too. I couldn’t sit properly and couldn’t concentrate at work. That night, I took 2 Panadols and had a good sleep. Panadols have pain-killer effect.

September 25, 2014, Thursday: Woke up in the morning feeling ok. Took Panadols again. At around 1000, the backache and migraine returned. I took half day off from work and went to Polyclinic Pan-Medic at Krystal Point. The queue was long. I waited for more than one hour before my turn to see the doctor. Suffering while waiting. I told the doctor about the symptoms and he gave me Paradeine (Dynapharm, Paracetamol 500 mg, Codeine Phosphate 8 mg) and Ponstan 500 mg (Dynapharm, Mefenamic Acid 500 mg). Fever 38.1 °C.

Plaster for back pain and medicines

Plaster for back pain and medicines

I went back home at noon after lunch (had porridge as suggested by clinic doctor) and slept.

At night, unable to sleep well. Body feeling uncomfortable (I am unable to describe the exact experience).

September 26, 2014, Friday: Feeling ok in the morning, however, due to the effect of the medicine (sleepy), I took leave for this day.

Slept whole day at home.

At lunch, food started to taste weird. I took the medicines after each meal (2 Paradeines and 1 Ponstan) and was hoping to get well soon.

Lost appetite and unable to sleep well due to hunger. Body felt itchy while sleeping. Sweated.

September 27, 2014, Saturday: The situation worsened. I completely lost appetite and was unable to eat. Everything tasted bitter, even drinking water. (I started to blame the medicines that I was taking thinking that they were the causes for my situation. Therefore, I stopped taking the medicines.)

Bought 100 plus.

Slept whole day at home. Leg started to feel weak. I tried to go to clinic again at around 1600 by bus, but it was closed.

Vomited after meal.

September 28, 2014, Sunday (admitted day 1): I felt weak and hungry. Vomited a few times.

French fries tasted awful.

Finally, I went to Pantai Hospital around 2000 by taxi (RM 12). Registered at the counter with IC and AIA insurance card from company, and went to see doctor.

Around 2100, the nurse asked me some questions (what happened to me, etc) to fill forms. Then a doctor came and asked the exact same questions and filled some forms. Then a third person, another doctor, came and asked the same questions again each filling their own forms! So I had been asked 3 times the same questions and repeated the same answers for 3 times.

The last doctor, which was also the one in charge of me, suspected that it was dengue fever. The nurse then put needle on my right wrist. The experience was horrible. I felt pain and my index and middle fingers were completely numb during the process. She took some blood and started the hospital drip – intravenous therapy.

Intravenous therapy (IV therapy or iv therapy in short) is the infusion of liquid substances directly into a vein. Intravenous simply means “within vein”. Therapies administered intravenously are often called specialty pharmaceuticals. It is commonly referred to as a drip because many systems of administration employ a drip chamber, which prevents air from entering the blood stream (air embolism), and allows an estimation of flow rate. – Wikipedia

I was having fever 37.8 °C and was given 2 Panadols, 1 pill for stomachache, and 1 pill for vomit.

Then I was sent to level 2 in a 4-bed room waiting for the blood test result (room 232D). The room was very cold. It has TV with Astro (华丽台). But the TV is hanged from the ceiling which is too high up making the watching experience uncomfortable because I had to hold my head up at least 45° (not a good posture).

At around 2200, the blood test result was out, and I was confirmed that I had dengue fever. Platelet 97.

Blood test result: Dengue positive

Blood test result: Dengue positive

I asked for something to eat and the nurse provided Milo and some biscuits. For the first time after these few days, I finally found something that could cure my hunger: hot Milo and biscuits.

Every 3 to 4 hours, the nurse would come and take the body temperature and blood pressure. It did affect my sleeping. The drip was replaced once it finished.

September 29, 2014, Monday (admitted day 2): The drip was removed in the morning around 0800 when I was having breakfast (bread, jam and butter) due to the fact that doctor saw that I had appetite and could eat normally. A total of 3 bags of intravenous fluid were used.

Doctor took blood sample from left arm for blood test.

Since I was confirmed with dengue fever, someone came to ask questionnaires about where I live, where I normally eat, what time I go to work, where are the places that have mosquitoes, do I know anyone who has dengue, does the office have mosquitoes, how are my housemates, etc.

At noon, my colleagues (wh, hl) came to visit bringing food and drink (that I still haven’t finished till this day): 100 plus, Vitagens, breads, Nestum, etc.

I chose porridge for my lunch and dinner which, at hindsight, was a bad choice because I was having great difficulty finishing the meal. My appetite was not fully recovered.

In the afternoon, the nurse provided the medicine for vomit.

At night around 2000, colleagues (wh, hl, py, tk) came visit bringing some books to read.

Slept well that night.

September 30, 2014, Tuesday (admitted day 3): Felt a lot better. My legs were not longer feeling weak. I could walk with ease. (I think having a good night sleep is really important for recovering).

Cereal Coco krunch as breakfast. Finished everything.

Doctor took blood sample from left arm for blood test.

No longer had fever.

At noon, I changed from a 4-bed room to a 2-bed room at room 103B. This change was because of the fact that the AIA insurance from my company entitles me for at least a 2-bed room. This room is warmer and close to window.

Appetite not fully recovered during lunch and dinner.

At evening, colleagues (ch, cw) comes bringing biscuits and fruits (banana).

Read books.

Didn’t sleep as well as the day before. I didn’t take bath for a few days already. This affected my sleep.

October 1, 2014, Wednesday (admitted day 4): Banana + Breakfast (oat cereal). Finished everything.

Read books.

Doctor took blood sample from right arm for blood test.

Appetite not fully recovered during lunch and dinner.

At noon, colleagues came (nch, yy, hl, tk) bringing my jacket.

The needle on my right wrist was removed.

Slept better at night.

October 2, 2014, Thursday (admitted day 5): Banana + Breakfast (oat cereal). Finished everything.

Doctor took blood sample from right arm for blood test.

At around 1000, the blood test result was out, and I was discharged. Doctor prepared a MC for the whole week.

Medical certificate

Medical certificate

Paid RM 300 with credit card for 10% of RM 3000.

Receipt for hospitalization

Receipt for hospitalization

The prescribed medicines were 4 pills of Panadols.

Panadols from Pantai Hospital

Panadols from Pantai Hospital

On the day that I was discharged and back to home, I saw a notice at BJ Court that during that week, there were 7 cases of dengue happened at the BJ Court alone! I was one of the unlucky victims.

Summary for dengue treatment

Below is my platelet and white blood cell levels during the treatment at Pantai Hospital:

Note: The reference range of a healthy person for platelet is 150 to 400 with unit = 10^9/L and for white blood cell is 4.0 to 11.0 with unit = 10^9/L.

From this experience, I learned that you can:

  • Take Panadols for the fever
  • Take medicines for vomit and stomachache to avoid hunger (avoid empty stomach)
  • As doctor said, don’t force yourself to eat. You will eat naturally.
  • Go to hospital for blood test and get hospital drips for hydration (according to my colleague, you need to get a letter from clinic doctor first before going to the hospital for blood test, else you run the risk of not being covered by the insurance if you didn’t have the dengue fever. I missed this step)
  • Sleep well to recover quicker

There isn’t any cure for dengue. Your body need to recover by itself. During this time, you will lose appetite, unable to sleep well (itchy skin) and feel weak.

Some colleagues recommend papaya leaves for the recovery. I haven’t tried that yet.

Papaya leaf

Papaya leaf

After discharged from the hospital, my brain felt hard to concentrate for the next several days. I think that is the side effect of the dengue fever. However, up till today, I no longer have that feeling. I think I am fully recovered.