Housekeeping: Cultofmac.com Hacked With Viagra Spam And Windows Viruses

Leander Kahney ()

system-security-2009012

Cultofmac.com may have been infected with the System Security 2009 Trojan. Luckily, it's Windows only. Screenshot from Malware Help. Org.

Just spent two days recovering from a hack attack at Cultofmac.com. The site was a seething cesspit of Viagra spam and — get this – Windows malware.

Looks like hackers compromised an FTP login to our host (a notorious weakspot), allowing the filthy scumbags to inject hidden spam into almost every post we’ve ever published (more than 3,500 articles).

The lowlifes also added a malware redirect to a couple of index.php files. The redirects were located inside hidden iframes, and took a bit of finding. Not sure how these manifested themselves, but they seem to have popped up in the site’s RSS feed. At least one reader seems to have been infected with the System Security 2009 Trojan and the Bloodhood PDF virus — both Windows malware. Sorry Chris!

Luckily, most of you guys are on the Mac, or I’d have a lot more apologising to do.

I’ve spent the last two days downloading the site database, doing a global search/replace to remove the spam and virus links, and the re-uploading the DB.

I changed all the logins/passwords to everything; killed a bunch of old and dodgy-looking accounts on the site and host; and locked down the site with WordPress plugins to prevent brute-force logins and the like.

DON'T MISS
Housekeeping: Don’t Mind The Meltdown! Cultofmac.com is Moving To New Host

Amazingly it all seems to have worked, because I’ve no idea what I’m doing.

There may be a few gremlins in the RSS feed. New feeds are working fine, but I’m unable to get my old feeds to update. If you’re having the same problem, just cross your fingers and we’ll all hope together that the problem magically fixes itself tomorrow, especially because I’ve got a major scoop.

26 comments »

About the author

Leander Kahney

is the editor and publisher of Cult of Mac, and author of three books about technology culture: Inside Steve’s Brain, the New York Times bestseller about Steve Jobs; Cult of Mac; and Cult of iPod. Leander has written for Wired, MacWeek, Scientific American, and The Guardian in London. Follow Leander on Twitter @lkahney and Facebook.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in Cult of Mac |

  • http://www.eunomia.com.ar/blog Moriz

    It would be great if you posted the WordPress plug-ins you use to keep SPAM out, since it’s a pain in the @ss for all of us using WordPress.

    • http://cultofmac.com Leander Kahney

      The only spam plugin we’re using is Askimet, which filters comment spam (there’s a ton of it). But the spam I cleaned out was the result of a malicious hack. There are no ‘spam’ plugins per se to guard against this — it’s a question of site security.

  • Mike

    I received a virus yesterday and it happened on this site. I thought it was a coincidence, but it popped up as soon as I came here. Damn Windows !!!!! Should of been on my Mac!

  • dave

    You don’t keep a backup copy of the database offsite (ie, not on the hosting service)?

    • http://cultofmac.com Leander Kahney

      I do, but that was corrupted also.

  • http://www.stormymondays.com/home/ Jorge

    Wow. I hope this is the reason for the truncated RSS feed. Please go back to full feeds!

    While we’re at it, please lose the “daily deals” thing, or if it’s making you that much money, give us a deals-free RSS option :-)

    • http://cultofmac.com Leander Kahney

      Again, gotta make some revenue. Please be patient. We’re trying the Daily Deals for a month or two. If it’s a bomb, we’ll kill it.

  • Giga

    My work PC came down hard with it. It took all day to tear down the OS, clean it and rebuild it. The Tech guys said it was bad and kept saying malware, seemed very surprised. We have extensive filtering, firewall, or whatever. network of hundreds of PCs and Macs too. yikes.

  • Ken Cohen

    After all these years, I still don’t understand what these people (“the filthy scumbags“) have to gain from this. Is this kind of vandalism just another way for them to spread their spam around? Or is the main satisfaction they get psychological? Any comments?

  • Frank Lowney

    Cit of Mac hosted on Windoze? Oh the ignominy of it all!

  • Karter

    Yeah I was visiting your site last night on my PC laptop and before I knew it I was hit with the nasty System Security 2009 Trojan. Took me 3 hours to clean that out of my computer.

  • thanx_al

    Why is CoM served from a Windows server?

  • Tom

    I got hit at work yesterday…

    Ran the virus check and had to yank off the System Security Trojan. Everything seems to be back up to speed… didn’t seem to take more than an hour, which makes me worried that perhaps I missed something…

  • Les

    Come now. The server doesn’t have to be Windows to serve up Windows-targeted malware. This is how rumors start.

  • Slinky

    Im forced to use PC for work (home life is a world of Mac zen!!) and cultofmac is part of my morning routine. I got hit by this a couple of days ago and I wasnt happy. It took me about 3 hours to recover (and then about 6 to scan all the disks I had accessed that day). At least now I know where I picked up the bug!!!

    Dont worry…CultOfMac still rocks! I am still visiting.

  • Pete Mortensen

    Thanks, @Les. I can assure you, we’re not hosted on Windows. We aren’t hosted on Mac OS X, either, but then, just about no one is.

  • nak

    No offense intended, but FTP? HIDDEN iframes? Yup, I trust you. Hah!

    It’s not like I was ever a big fan of this site, what with it’s one-sided view of the world… but seriously. You guys give Mac users a bad name already, and now ever more so. Security schemeritty.

    bookmark *pewf*

    And I’m sure you won’t publish this comment, but whatever.

    Enjoy obscurity, just like Wired.

  • Mystical

    So now i knew what happened when the antivirus pop up after visiting your site using my manager’s computer at work.
    Fortunately she her antivirus had it real time scanning on, otherwise this would have been a mess for me right now.

  • thanx_al

    My bad – I thought the screen shots were from the server.

    I also thought there might be some hidden advantage to serving from a Windows server. I know no one serves from Mac OS X, but thought it odd to use Windows server given its troubles.

    My faith in CoM has been restored.

  • Lost at Work

    Yep, my company blocked this site today. It was pretty odd yesterday when everything came to a craw on my office PC. Could not figure out what happened. It was a bright spot in an otherwise gray office life.

    Oh and nak, good luck to you spending your life trying to get print drivers to work and your “high value” laptops to switch to a different wi-fi connection profile. I swear that I was able to get my IBM T60 to connect under 10 mins.

  • Rask

    Sounds like you got with with a SQL injection attack, not a brute force against your FTP.

    There typically happen when attackers put in specially crafted SQL database commands in your site inputs(like comment fields and logins) to insert data into your database (like redirects etc..)

    These have been done successfully on a variety of database servers as well from MS SQL server to MySQL etc.

    This isn’t something that can be fixed on the back end but your code on the site must validate that was people are entering in these fields don’t contain certain sequence of characters.

    http://en.wikipedia.org/wiki/Sql_injection

    • http://cultofmac.com Leander Kahney

      @raskhp. thanks for the info. sounds right — i think that’s exactly what happened. but i think there was also a separate attack that infected the site with malware. now taking precautions against all kinds of attacks.

  • James McDaniel

    What’s up with the switchover from full RSS feed to only the first 80 words or so? I assume this is an attempt (like usual) to force readers to click through to the main site so at least six different ads can load? Your RSS feed *already* has advertisements!

    Sorry, but I don’t subscribe to partial feeds. I read many hundreds of articles per day in my RSS reader (NetNewsWire) and I don’t have time to wait for 5-10 seconds for each and every article to load. (I’ve added it up, it would waste at least an extra hour every day for me.)

    Let me know when you go back to full RSS feeds and I’ll re-subscribe.

  • Travis

    Another vote for the full RSS feed. I tend to unsubscribe from sites that switch to a partial feed. Not enough time in the day to click every article that I’m interested in.

  • Travis

    As much as I like the site, the partial feeds are driving me away. I’ve waited a few weeks for a response here, or through email (which I sent before posting here), but as I browse the RSS feed, the advertisements take up more real estate in my feed reader than the actual content of your site.

  • Andrew P.

    Keeping the riff-raff out is an ongoing challenge and learning process. The trick is to make it sufficiently painful and slow to break in that they’d rather move along and bother someone else. As volunteer Webmaster for a local library support organisation, I found out the hard way in the summer of 2009, when a PHP email form was being hijacked to broadcast spam, using our mail domain. I became concerned that our entire domain might get blacklisted and blocked, or possibly suspended by the ISP. It took some study and trial-and-error, but eventually I succeeded in modifying the PHP pages to prevent code injection attacks, so there has been no more rogue activity for some 9 months now. I never found out who the spammer was, but I believe he was based in Russia.