he grew a beard
So: we found backdoor shells and various files infected with eval() and unescape() items that turned into the nasty iframes. We decided the best thing to do was throw it all away and start from scratch.
We've changed all the passwords every twenty seconds to various strings of unintelligible gibberish. We've thrown away every bit of code from the old site and re-downloaded fresh, current items. We've scanned incessantly for injection vulnerabilities without finding any. I scanned my laptop with three different AV programs. We updated every bit of software to be the latest and greatest. The server is now in full Dwarf Fortress mode. This time I think we killed it, but these things require constant vigilance and only time will tell.
In the process we broke some things—say hello to yet another ugly, not very functional version of the board!—but right now we're just trying to get online. If/when this proves stable we'll start restoring the stuff that was broken. Cross your fingers.
Yesterday people started telling me the site had been flagged by Google for hosting malware, and we found it. It appears to be a database thing not actually related to Drupal since another site on the server running Wordpress got hit at the same time, and it only places the bad code in the files intermittently—so when it was gone yesterday I thought it was gone for good. If you actually get infected it will be very obvious. Instructions on how to remove "System Tool" are all over the google, but usually the best course of action is to do a system restore.
I'm going to be monitoring this closely the rest of the day, but my body has its own malware—zing!—and I feel miserable so other than watching for iframes like a hawk I am taking a sick day.
A thousand apologies for any trouble this caused people.
Usual post-disaster measures have been implemented: you need to be a "basic user" (100 points) to comment and "trusted" to start yet another redundant thread. Kitten:
Happy New Year!
via Roar of the Tigers.
Also the front of the MGoWedding's save the date cards, minus the elder-terrifying text.
It's time for the annual approximately week-long Christmas break, which extends from tomorrow, the 23rd, to the 28th. Normal blog service resumes the 29th, with exceptions made for breaking news of an important variety. A recruiting dead period just began and the only sporting event in the interim is a basketball game against Bryant they should win by 30, so monumental news is unlikely.
Merry Christmas/Holiday of Choice.
You'll notice some more obtrusive ads on the site for Dunning Toyota, as we've just sold some local advertising(!) for the first time. This is a temporary "site takeover" similar to what Gawker does that will run through Sunday. In the future these types of events will be rare—maybe a couple days a month if we can swing it—so we don't upset the balance between making the site a success and annoying the people who make it so. (This is you.)
Other site bits:
Holiday schedule: UFR the second tomorrow—it's the offense so no danger of throwing up turkey—and a couple other scattered posts but a relatively lighter schedule; full preview Friday as per usual.
Friendly fire: yesterday's post about the offense was hot on the heels of an in-depth diary that looked at a lot of different stats. One of those was points per drive, which I've seen bandied about many places by Rodriguez haterz as a reason the offense isn't actually two standard deviations above the mean. I took issue with that, but wasn't trying to bash blublooded, the author. The timing looks bad. So to be explicit: no offense was intended.
In an effort to keep the moderators from pulling their hair out we've gone back to semi-lockdown, where you need 500 points to start a thread and 100 points to leave a comment. Things will return to normal Monday whenever I remember to change the settings back.
Yes, this is the same thing that happened after last year's incredibly depressing loss to a weak opponent on Halloween weekend. Here is a kitten: