Reason #478 to Update WordPress and Plugins

Dumb. Really Dumb.
Photo via BigStockPhoto.

We all know we shouldn’t let an old WordPress site sit around without updating it. It’s dangerous, they say.

And… for the most part, I’m really good about staying on top of this—at least when it comes to mission-critical sites. But… I’ll admit, there are a few sites that I built and forgot about.

One in particular came to my attention this week. It was a site I built around a hobby of mine. It needed a WordPress upgrade.

Okay… it had missed a lot of WordPress upgrades.

But worst of all: it had a plugin that was very old and had stopped being updated by its original developer. It was a stats plugin that I really loved back in the days before Jetpack gave us access to WordPress.com stats.

That particular plugin had a vulnerability which was exploited by some nasty malicious hacker.

How I Found Out I’d Been Hacked

This particular site was in one of my longest-standing hosting accounts… one I’ve had since 2006 with 1and1.com. I keep telling myself I’m going to clean that account out and move all the sites, but I just haven’t done it. That’s part of the reason I’ve let some of the sites go unpatched—because why patch ’em if you’re gonna move ’em, right?

<sigh>

Well… somewhere along the line, 1and1 started the practice of sending an email when they encountered something suspicious going on. In the past, they’ve notified my when SPAM emails started going out because of the TimThumb WordPress vulnerability and when their antivirus scanner found malware in a PHP file.

I’ve always been quick to respond when I see one of those, and it happened just a few weeks back. In that case, it just turned out to be an old inaccessible file that I’d renamed after fixing a previous problem.

On Monday of this week, I got another one of these emails:

Anti-virus scan reports: Your 1&1 webspace is currently under attack [Ticket XXXXXX]

Even though I was busy, I jumped right in to see what was happening. They identified a file that had been uploaded to my webspace, and when I saw where it was located, I knew exactly what was going on. That old plugin was still running on the site I mentioned earlier.

So… I logged in via FTP, downloaded a copy of the “malicious file” just so I could see it, and then deleted it and the entire plugin that it got in through.

No big deal.

Or so I thought.

Sites Down

Yesterday, I discovered that all of the sites in that hosting account were down. For most of them, I was getting a simple “Access Denied” error from 1and1 when I tried to load them up in my browser.

A minor panic set in as I went in and tried to discover what was going on.

What I found was very perplexing. The file permissions on the index.php file, the wp-config.php file, and a handful of other files in these sites were changed to 200.

If you aren’t familiar with Linux file permissions, 200 basically means that the file can’t be read by anyone. So… if that file happens to be critical to the running of your site, then… your site doesn’t work.

So… I changed the permissions on a couple of these files in one of the most important sites just to try to get it working. Oddly… within a few minutes of me setting the permissions to 644, they were automatically changing back to 200.

“Hmmmmm…. maybe there’s some malware still running in my account,” I thought to myself.

That’s when I noticed a whole bunch of database “dump” files in the root of my webspace. They looked like this:

dbxxxxxxxx.dump.lzo

Uh oh.

So… I replied to the email I’d gotten a few days earlier, and explained what was going on. This updated the “ticket” in 1and1’s Abuse Department so they could have a chance to respond.

After working on things for a few more minutes, I couldn’t stand it any longer. I dialed the 1and1 Support Department (something I truly hate to do) and waited. Within a short time, I was on the line with someone from India who had undergone a significant amount of accent reduction, and explained what was going on. When he was unable to find my ticked ID, I explained that I’d gotten an e-mail. He put 2 and 2 together and connected me with the Abuse Department.

Then… for the first time in the 8 years that I’ve had this account, I spoke to an American. I mean… fluent English. Clearly no foreign accent. And also for the first time, he knew something about what he was talking about!

He reviewed the ticket and was able to explain a little better what had occurred. Hackers had gotten in through unpatched software (which I knew) and had managed to execute shell commands with my account’s user privileges.

Within what must’ve been a very short period of time, they inserted malicious code into approximately 1,500 files in my webspace. This means that they infected even the WordPress sites that were all patched and running the latest versions.

All told, somewhere near 40 sites were infected.

1and1’s systems were automatically changing the file permissions for any infected files to 200 in order to keep anyone from accidentally downloading malware when visiting my sites.

So… then began the painstaking process of removing all the malicious code that had been inserted and bringing the sites back on line one by one.

Could This Happen To You?

Yes. And it’s just a matter of time.

I’m planning to write In this post, I provided more details about it and an update explaining exactly what to do if you fall victim to an attack like this. It’s not particularly difficult to fix, but if you have 1500 files across 40 sites affected, it’s gonna take some time.

RIP: Starbucks Almond Syrup

**Latest Update** It looks like Starbucks Almond Syrup is truly gone for good. The Fontana choice was good for a while, but it’s no longer on the market either. I’ve tried the Torani Orgeat Syrup, and it’s pretty good…. plus it’s in Amazon Prime, so… free shipping, right?!

**Update #3** Thanks to our reader Joyce, I did a little checking around and it looks like this Fontana Almond Syrup is the very stuff that Starbucks uses (Fontana is evidently manufactured for Starbucks) You can still purchase the Almond variety in a 4-pack.

The Torani syrup we mentioned in a previous update is also delicious, but not quite the same flavor as the Starbucks / Fontana syrup. Even the bottle on the Fontana syrup is an exact match!

Enjoy!

**Update #2** All my Sarasota readers: you can get almond cappuccino and syrup from The Beanz Man Espresso Bar Cafe on Bee Ridge Road (just west of Shade). Tell ’em I sent ya! sells and services fantastic coffee equipment (especially for commercial purposes), but no longer has a coffee shop. 🙁

*Update 1* I’ve been told that this Torani Orgeat Syrup is the exact product that Starbucks used to sell with its own label (turns out the Fontana syrups are manufactured for Starbucks… see the update above). You can grab it up inexpensively from Amazon and use it in your homemade beverages. Alas, since I don’t make espresso-based drinks at home, this doesn’t help me.

Don’t forget the pump!

Those who know me know that I’m an enormous fan of coffee. In fact, I have a book project that I’ve been dabbling with for a while that deals with coffee as a source of inspiration. It will eventually be finished. Watch for it. 🙂

As a true coffee connoisseur, I drink my daily brew black, freshly ground (in a burr grinder for consistency), and brewed (by the cup) in my french press. OK, I admit it. I’m a bit of a coffee snob. I certainly don’t mean that I look down on those who drink, say, robusta beans. It’s just that I personally have a well-developed palette where it comes to fine coffees.

(A.D.D. Moment: Want a really great book on the benefits of caffeine? Nab The Caffeine Advantage: How to Sharpen Your Mind, Improve Your Physical Performance, and Achieve Your Goals–the Healthy Way)

OK, back to my point: I have one guilty pleasure, as it were, where it comes to flavored coffee beverages. I know, I know… real connoisseurs don’t use any flavoring. But, years ago an astute barista who was a personal friend of mine made me an almond cappuccino.

Now, I’m not going to say that the skies parted, light shone, angels sang, and that I was enraptured by a glorious ecstasy as I partook… but it was close. Thanks, Mike, wherever you are.

Since then, I’ve been an addict. When Starbucks finally entered the Florida market, I quickly made the Grande Almond Cappuccino my beverage of choice… when in the mood for something other than a bold drip or a doppio.

I’ve partaken of this particular beverage all over the United States in Starbucks locations and even as far away as Singapore. I love it. It is truly a pleasurable experience that I enjoy.

So, imagine my dismay when the baristas at my local Starbucks announced that the almond syrup was being phased out. First, their ability to ring the drink up properly was taken away by a software update to their POS system. Now, they’ve actually told me that the syrup is gone. Some locations still have some, but almond—as a flavoring syrup at Starbucks—is basically dead.

I don’t spend enough at Starbucks to have the clout to pressure them to bring it back (despite whatever my wife may think about my Starbucks budget), so I’m not planning to mount any major campaign to boycott or ask people to join me. However, I am truly saddened by the loss. Most people stick with vanilla or hazelnut or one of the more popular syrups, I know. But they simply don’t know what they’re missing.

So… I bid the Starbucks almond syrup a fond farewell. And yes, every time I’m in a small private coffee shop (which I’ll admit I’ll be on the lookout for now more than ever), I’ll be forced to inquire… just in case they have some.