You are here

Trojan attack and website shutdown

Dear users of Webgrab+Plus and visitors of this website

around May 20 this website was attacked by a trojan horse exploiting a backdoor in our web platform Drupal. Too late we were informed about this vulnerability of Drupal. See https://www.drupal.org/docs/develop/security/your-drupal-site-got-hacked... . The consequences were fatal. The trojan was able to invite 16 viruses at the moment we (Paul in fact) started to investigate cause and remedy.

Visitors of this website around and shortly after that date were redirected to obscure and mostly fake websites some of them with click bait buttons or other tricks to lure visitors into malware.
For some time Paul tried to clean the website with a regular virusscanner. It appeared not very effective, the trojan fought back by reinstalling the viruses we just removed and installing new ones. At some point there were 100 or more infected files? Shortly after, on May 22, when it became clear that the site could not be kept online, we decided to shutdown and issue 'website on maintenance'.

That was nearly the final curtain for Webgrabplus.com. The WG++ project is build and maintained by just a few (5) volunteers with limited time beside jobs and family. And at first it was feared that trying to restore the site in its original form would be impossible. Alternatives? : Full stop or building a new site. The latter, being a major effort which we probably would not be able to organise! (But it was seriously considered because one of us , Mario (Matt8861), offered to try it.) Our choice between a rock and a hard place!

Then came, from Francis, this suggestion : "Maybe we just need to go ahead with the security update for drupal? And hope that exploit has been fixed?"
See https://www.theregister.co.uk/2018/03/28/drupal_urgent_security_software...

And, on the first on June, he reported: "Heavy rain kept me out of my sleep, so I decided to check if I could resuscitate the site. And yes, it seems it will be possible. !!" The next day, after rebuilding the site and its data bases we were back online.

But the troubles are not over as yet. Webbrowsers scan and keep lists of unsafe websites. Our site was added to those lists during the days it was under attack. Consequently, some users trying to visit our site were confronted with alarming 'unsafe website' warnings. And although the site is rescanned and found healthy the message keeps up appearing, especially when using the Chrome browser. Microsoft Edge has removed the site from its unsafe website list in the mean time, so no more problems when using Edge. We have no reports from other popular browsers.

Francis continues looking into this issue.

Perhaps a good place and opportunity to express our disdain for the villains who seem to have fun in committing this kind of destructive attacks.

Further reading:
https://thehackernews.com/2018/04/drupal-rce-exploit-code.html

Jan

Brought to you by Jan van Straaten

Program Development - Jan van Straaten ------- Web design - Francis De Paemeleere
Supported by: servercare.nl