Top stories

Journalists Cover Microsoft, Using Macs

It’s not an easy time for Microsoft — with Steve Ballmer having to field questions about being “buffoons” and an “evil empire”  at the shareholder’s meeting (.doc) — so when they get together “the world’s most influential technology pundits and online writers” (nb: we weren’t invited) for Mobius to discuss super-secret mobile tech you’d think [...]

Guide To Black Friday Apple Bargains: Cheap MacBooks, iPods and Accessories Galore

Here’s a guide for finding the best bargains on Apple-related gear during the infamous Black Friday sales on November 27. We’ve compiled a comprehensive list of gear from leaked photos of sales flyers and descriptions of sales.
The bargains include a 2.26 GHz MacBook + $150 gift card at Best Buy for $999.99 ; a 32GB [...]

Review: Voices Is Today’s Best Thing Ever, Grab It Now While It’s Cheap

New on the App Store is Voices from the clever folk at Tap Tap Tap. You can guess what it does.

Open it up, pick a silly voice. Helium is pretty silly. A microphone appears and the app even clears your throat for you (try it, you’ll see what I mean). Now speak your brains, and [...]

Review: Sony Walkman S540 Series Video MP3 Player

Press releases, you will hardly be surprised to hear, are rarely very interesting. But one arrived in my inbox a couple of weeks ago that made me double-take.
“Sony’s S Series Walkman,” it chattered, “is a serious challenger to the iPod Nano.” Gosh, really? Perhaps the Cult had better have a look at one, then, despite [...]

Housekeeping: Cultofmac.com Hacked With Viagra Spam And Windows Viruses

11:13 am, July 22nd, 2009, Leander Kahney

system-security-2009012

Cultofmac.com may have been infected with the System Security 2009 Trojan. Luckily, it's Windows only. Screenshot from Malware Help. Org.

Just spent two days recovering from a hack attack at Cultofmac.com. The site was a seething cesspit of Viagra spam and — get this – Windows malware.

Looks like hackers compromised an FTP login to our host (a notorious weakspot), allowing the filthy scumbags to inject hidden spam into almost every post we’ve ever published (more than 3,500 articles).

The lowlifes also added a malware redirect to a couple of index.php files. The redirects were located inside hidden iframes, and took a bit of finding. Not sure how these manifested themselves, but they seem to have popped up in the site’s RSS feed. At least one reader seems to have been infected with the System Security 2009 Trojan and the Bloodhood PDF virus — both Windows malware. Sorry Chris!

Luckily, most of you guys are on the Mac, or I’d have a lot more apologising to do.

I’ve spent the last two days downloading the site database, doing a global search/replace to remove the spam and virus links, and the re-uploading the DB.

I changed all the logins/passwords to everything; killed a bunch of old and dodgy-looking accounts on the site and host; and locked down the site with Wordpress plugins to prevent brute-force logins and the like.

Amazingly it all seems to have worked, because I’ve no idea what I’m doing.

There may be a few gremlins in the RSS feed. New feeds are working fine, but I’m unable to get my old feeds to update. If you’re having the same problem, just cross your fingers and we’ll all hope together that the problem magically fixes itself tomorrow, especially because I’ve got a major scoop.

Posted by Leander Kahney in Cult of Mac | Comment on this article

About the author

Leander Kahney

Leander Kahney is senior editor of Cult of Mac, editor of two books about technology culture, Cult of Mac and Cult of iPod, and has written for Wired, MacWeek, Scientific American, and The Observer in London. Follow Leander on Twitter @lkahney and Facebook.

Email the author | Read more posts by Leander Kahney.

Related posts from Cult of Mac

25 comments

    It would be great if you posted the WordPress plug-ins you use to keep SPAM out, since it’s a pain in the @ss for all of us using WordPress.

    Moriz, on July 22nd, 2009 at 11:19 am

    I received a virus yesterday and it happened on this site. I thought it was a coincidence, but it popped up as soon as I came here. Damn Windows !!!!! Should of been on my Mac!

    Mike, on July 22nd, 2009 at 11:28 am

    You don’t keep a backup copy of the database offsite (ie, not on the hosting service)?

    dave, on July 22nd, 2009 at 11:38 am

    Wow. I hope this is the reason for the truncated RSS feed. Please go back to full feeds!

    While we’re at it, please lose the “daily deals” thing, or if it’s making you that much money, give us a deals-free RSS option :-)

    Jorge, on July 22nd, 2009 at 11:48 am

    My work PC came down hard with it. It took all day to tear down the OS, clean it and rebuild it. The Tech guys said it was bad and kept saying malware, seemed very surprised. We have extensive filtering, firewall, or whatever. network of hundreds of PCs and Macs too. yikes.

    Giga, on July 22nd, 2009 at 11:51 am

    Again, gotta make some revenue. Please be patient. We’re trying the Daily Deals for a month or two. If it’s a bomb, we’ll kill it.

    Leander Kahney, on July 22nd, 2009 at 12:34 pm

    I do, but that was corrupted also.

    Leander Kahney, on July 22nd, 2009 at 12:34 pm

    The only spam plugin we’re using is Askimet, which filters comment spam (there’s a ton of it). But the spam I cleaned out was the result of a malicious hack. There are no ’spam’ plugins per se to guard against this — it’s a question of site security.

    Leander Kahney, on July 22nd, 2009 at 12:37 pm

    After all these years, I still don’t understand what these people (“the filthy scumbags“) have to gain from this. Is this kind of vandalism just another way for them to spread their spam around? Or is the main satisfaction they get psychological? Any comments?

    Ken Cohen, on July 22nd, 2009 at 1:28 pm

    Cit of Mac hosted on Windoze? Oh the ignominy of it all!

    Frank Lowney, on July 22nd, 2009 at 2:08 pm

    Yeah I was visiting your site last night on my PC laptop and before I knew it I was hit with the nasty System Security 2009 Trojan. Took me 3 hours to clean that out of my computer.

    Karter, on July 22nd, 2009 at 3:28 pm

    Why is CoM served from a Windows server?

    thanx_al, on July 22nd, 2009 at 4:57 pm

    I got hit at work yesterday…

    Ran the virus check and had to yank off the System Security Trojan. Everything seems to be back up to speed… didn’t seem to take more than an hour, which makes me worried that perhaps I missed something…

    Tom, on July 22nd, 2009 at 5:39 pm

    Come now. The server doesn’t have to be Windows to serve up Windows-targeted malware. This is how rumors start.

    Les, on July 22nd, 2009 at 6:27 pm

    Im forced to use PC for work (home life is a world of Mac zen!!) and cultofmac is part of my morning routine. I got hit by this a couple of days ago and I wasnt happy. It took me about 3 hours to recover (and then about 6 to scan all the disks I had accessed that day). At least now I know where I picked up the bug!!!

    Dont worry…CultOfMac still rocks! I am still visiting.

    Slinky, on July 22nd, 2009 at 8:23 pm

    Thanks, @Les. I can assure you, we’re not hosted on Windows. We aren’t hosted on Mac OS X, either, but then, just about no one is.

    Pete Mortensen, on July 22nd, 2009 at 9:00 pm

    No offense intended, but FTP? HIDDEN iframes? Yup, I trust you. Hah!

    It’s not like I was ever a big fan of this site, what with it’s one-sided view of the world… but seriously. You guys give Mac users a bad name already, and now ever more so. Security schemeritty.

    bookmark *pewf*

    And I’m sure you won’t publish this comment, but whatever.

    Enjoy obscurity, just like Wired.

    nak, on July 22nd, 2009 at 11:29 pm

    So now i knew what happened when the antivirus pop up after visiting your site using my manager’s computer at work.
    Fortunately she her antivirus had it real time scanning on, otherwise this would have been a mess for me right now.

    Mystical, on July 23rd, 2009 at 5:19 am

    My bad – I thought the screen shots were from the server.

    I also thought there might be some hidden advantage to serving from a Windows server. I know no one serves from Mac OS X, but thought it odd to use Windows server given its troubles.

    My faith in CoM has been restored.

    thanx_al, on July 23rd, 2009 at 8:07 am

    Yep, my company blocked this site today. It was pretty odd yesterday when everything came to a craw on my office PC. Could not figure out what happened. It was a bright spot in an otherwise gray office life.

    Oh and nak, good luck to you spending your life trying to get print drivers to work and your “high value” laptops to switch to a different wi-fi connection profile. I swear that I was able to get my IBM T60 to connect under 10 mins.

    Lost at Work, on July 23rd, 2009 at 7:35 pm

    Sounds like you got with with a SQL injection attack, not a brute force against your FTP.

    There typically happen when attackers put in specially crafted SQL database commands in your site inputs(like comment fields and logins) to insert data into your database (like redirects etc..)

    These have been done successfully on a variety of database servers as well from MS SQL server to MySQL etc.

    This isn’t something that can be fixed on the back end but your code on the site must validate that was people are entering in these fields don’t contain certain sequence of characters.

    http://en.wikipedia.org/wiki/Sql_injection

    Rask, on July 24th, 2009 at 4:26 am

    @raskhp. thanks for the info. sounds right — i think that’s exactly what happened. but i think there was also a separate attack that infected the site with malware. now taking precautions against all kinds of attacks.

    Leander Kahney, on July 24th, 2009 at 5:38 am

    What’s up with the switchover from full RSS feed to only the first 80 words or so? I assume this is an attempt (like usual) to force readers to click through to the main site so at least six different ads can load? Your RSS feed *already* has advertisements!

    Sorry, but I don’t subscribe to partial feeds. I read many hundreds of articles per day in my RSS reader (NetNewsWire) and I don’t have time to wait for 5-10 seconds for each and every article to load. (I’ve added it up, it would waste at least an extra hour every day for me.)

    Let me know when you go back to full RSS feeds and I’ll re-subscribe.

    James McDaniel, on July 24th, 2009 at 8:45 am

    Another vote for the full RSS feed. I tend to unsubscribe from sites that switch to a partial feed. Not enough time in the day to click every article that I’m interested in.

    Travis, on August 11th, 2009 at 3:46 pm

    As much as I like the site, the partial feeds are driving me away. I’ve waited a few weeks for a response here, or through email (which I sent before posting here), but as I browse the RSS feed, the advertisements take up more real estate in my feed reader than the actual content of your site.

    Travis, on August 27th, 2009 at 12:33 am

Add your comment

Name(Required)

Mail (required, but not published)

Website

Comment

Buy Inside Steve's Brain Buy from Amazon.com Buy from Barnes & Noble