At around 4am on February 1, Abelfamily.ca was attacked again. I will list the technical details later in the post but I thought that there was room to report on non-technical issues first. I believe that this is the last malicious incursion for a long time.

Victimhood

As I often say, it is counter productive to view yourself as a victim in a situation such as this. I believe that the last incursion is the result of allowing passwords to go unchanged for too long. You can always trace your virus or incursion problems to your own stewardship of your on line processes.

Why Abelfamily.ca

Every so often, I write about my reasons for operating the Abelfamily.ca website. Abelfamily.ca predates Facebook, Instagram etc. Originally I used HTML programming followed by installed photo apps, followed by WordPress, eventually converting everything into a blog. Unlike when I began this project, it is now the norm to have an online presence for photos and news; in fact, there is no shortage of apps and system to facilitate this. Why not make the final jump and move to Instagram (or something) and concentrate on the content alone? Simply, I would like to keep whatever skills I have in this realm reasonably sharp. If you go on to read the technical notes that accompany this post, you will see that this incursion could not have been quickly resolved if I did not have a pretty good grasp of how things work.

Artificial Intelligence

AI was instrumental bringing this sorry incident to a quick conclusion. In my opinion, proper use of AI involves a very precise objective and a very precise query. Identifying malicious code using AI was unbelievably efficient.

WARNING TECH TALK AHEAD

This incursion was the most serious; an example of a “back door” malicious infection. A back door infection usually means that a password has been compromised. At some point code is cleverly inserted into files that feed information to the villain. In this case, I fixed the more audacious symptoms first; but, the malicious code was pretty deeply embedded and I needed to find and remove quite a lot, followed by multiple password changes.

The original incursion inserted 9000+ blog posts leading to gambling sites. This was actually fairly easy to address; I reconfigured the view inside the WordPress management system and removed the offensive entries 400 at a time. I removed some malicious redirects (now routine) and everything looked good. A couple of days later the site was okay but after I added a couple of pages, I noticed that the while navigating forwards and backwards, the users was being directed to a gambling site. It was not a serious but clearly there were other problems to be addressed.

This time, there were no gambling sites in the WordPress blog list so I checked and it is somehow possible to have entries in the SQL that do not appear in the blog. So I looked into the SQL database and found over 7000 gambling site entries. Further, the user id attached to these entries was unconfigured. This is quite surprising but apparently such a thing is possible. I removed the 7000 malicious entries with a single SQL command.

A direct incursion into the database using an ID that I did not create is as serious as it gets; definitely requires more than just addressing the symptoms. You may recall that I installed a page cache a few weeks ago. I got rid of it without digging further, it is the sort of plug in that can lead to these types of problems. To my surprise, there was a lot of malicious code in the theme file; I retreated to a generic theme, obliterated the infected theme then reloaded it from scratch. I then checked the entire upload directory for .php files, apparently this is a common trick so I’ll keep looking for it in the future, none were found as a result of this infection. Next was a wholesale change of passwords. Finally (with AI assistance) I found the original “back door” infection code in the config file.

I invested a little over 10 hours in this; I expect that I could do it in less than a quarter of the time if I were to encounter a similar situation in the future.