...

Last evening we planned to get fried chicken delivered for dinner. I opened kfcpakistan.com (KFC Pakistan’s Official Website run in Pakistan by Cupola Pakistan Ltd.) so to see their online brochure for meal options. Instead of main page being displayed, there popped up a warning for the website ‘kfcpakistan.com‘ being malicious and that it could harm my computer. I had already been running Symantec Antivirus (always updated) but just to be on safe-hand, I also executed Trojan Guarder. I was content that it would protect me from any bug, worm, virus and Trojan whatsoever, so I clicked ‘ignore this warning‘ (dumbass me!).

.

[ click the picture to zoom it... ]

To learn why it is blocked; see the Google URL at bottom of this post…

The main page of kfcpakistan.com did open but simultaneously Symantec Antivirus popped up an alert window that told me of an ‘install.exe‘ to be caught and quarantined and deleted successfully from the location it was being executed. Still I was satisfied that since the virus has been notices and handled by Symantec Antivirus, there’s no need to be worried at all, anymore.

The funny thing is, mood was already changed and we had ordered Pizzas instead. Was delicious, ate ‘em all, gone baby gone! Afterwards, I kept working on Haqeeqat.Org, computer didn’t went off through the night, even after I went to sleep.

Today, there was nothing prompted nor anything unusual took place at all, I kept working as had to publish three posts. Did that well, still nothing appeared worth noticing. Afterwards, got busy having tea with my wife n family and shut down the computer. Some minutes later a friend called and told that Haqeeqat.Org wasn’t working and that there was some weird error displaying on front page. No other direct of indirect link worked either. I got back on computer, checked it myself and received the following error(s):

Warning: Unexpected character in input: ”’ (ASCII=39) state=1 in /xxx/xxxxx/public_html/index.php on line 17

Parse error: syntax error, unexpected ‘.’ in /xxx/xxxxx/public_html/index.php on line 17

I then entered the URL to administration area but the next page showed me the same error. I assumed it was some wordpress plugin error so I tried disabling some by moving some folders via my FTP client. It didn’t help either! Then, to my shock, as I tried opening rest of my blogs and CMS driven websites on the same server, everything was down, showing almost same errors! Static content but was working all like it should.

Since I couldn’t find a supportive clue on wordpress.org, I submitted a support request ticket to my web-host (hostgator) which reverted to me very promptly, as always, with more shocking information and access logs. It read:

“It appears that malicious code has been uploaded to your account via FTP using a compromised username and password. At this time, I have removed the malicious code from the account.

From our experience with malware of this nature, the user account passwords are compromised though viruses/malware located on your local computer. This malware sniffs out passwords used and stored by FTP programs located on the computer. In order to protect against future attack, you will need to run full virus and malware scans on your computers to ensure that they are clean. I recommend using multiple scanners as we have found that some scanners do not detect the malware. MalwareBytes ( http://www.malwarebytes.org ) and ComboFix ( http://www.bleepingcomputer.com/combofix/how-to-use-combofix ) have been reported to be able to clean this malware. It is highly suggested that you also do the following…”

(following were some guidelines for having the Operating System and other relevant applications updated and secured)

The following logs show that the file was recently uploaded with modified malicious code. These logs are merely a sample, it is not the entire log entry:

Aug 18 07:54:24 gatorxXx pure-ftpd: (?@ip-address) [INFO] myUserName is now logged in

Aug 18 07:54:26 gatorxXx pure-ftpd: (myUserName@ip-address) [NOTICE] /home/myUserName//public_html/index.htm downloaded (4265 bytes, 240.02KB/sec)

Aug 18 07:54:27 gatorxXx pure-ftpd: (myUserName@ip-address) [INFO] Logout.

Aug 18 07:54:30 gatorxXx pure-ftpd: (?@ip-address) [INFO] myUserName is now logged in

Aug 18 07:54:32 gatorxXx pure-ftpd: (myUserName@ip-address) [NOTICE] /home/myUserName//public_html/index.htm uploaded (4342 bytes, 190.38KB/sec)

Aug 18 07:54:33 gatorxXx pure-ftpd: (myUserName@ip-address) [INFO] Logout.

Aug 18 07:54:39 gatorxXx pure-ftpd: (?@ip-address) [INFO] myUserName is now logged in

Aug 18 07:54:45 gatorxXx pure-ftpd: (myUserName@ip-address) [NOTICE] /home/myUserName//public_html/one-of-my-domain/index.html downloaded (10841 bytes, 661.77KB/sec)

Aug 18 07:54:46 gatorxXx pure-ftpd: (myUserName@ip-address) [INFO] Logout.

Aug 18 07:54:54 gatorxXx pure-ftpd: (?@ip-address) [INFO] myUserName is now logged in

Aug 18 07:55:01 gatorxXx pure-ftpd: (myUserName@ip-address) [NOTICE] /home/myUserName//public_html/one-of-my-domain/index.html uploaded (10713 bytes, 196.58KB/sec)

…” etc etc until 4 of my domains…

Hmmm… after having read the first two paragraphs, Mr. Colonel’s picture flashed at the back of my mind and I said to myself; WTF! …fcuk!!!

I logged onto my web-server’s control panel immediately, of course from my cell and changed the master account’s password(s), reset child accounts too. I quickly locked all executable files and software(s) on my computer using Folder Shield- a fool-proof folder protection (privacy) utility- so if the virus/worm/bug was contagious, my data would remain safe! I then removed all my websites’ shortcuts from my FTP client’s site manager, disabled the automated tasks, closed it and downloaded MalwareByte’s Anti-Malware 1.4, installed and the scan result then brought me the following in first go:

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Services\del (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\id (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\host (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\Temp\wpv631250315064.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\user-name\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

What- in the Name of KFC- Does This Malware do to Your Online Presence?

Please note that it also makes full fledge use of your email client all by itself; by sending idk which emails to idk where (of course, to your contacts!)!

Now, Mr. Richard F.- Network Security Administrator at HostGator- had only repaired the static (.htm/.html) files as the bug up there infected each and every filename starting with index*, main* and default* be it a simple .htm/.html or a .php (database connected) file. The bug kept ruining the files all around my space… I’m not a PHP/MySQL programmer, I don’t even know the coding at all, the Object Oriented Programming F‘ed me three times already… until I changed the majors in my graduation; after admitting myself as a complete loser at O.O.P! And now the Kentucky F Chicken Fs me!!!

So, not fair moreover; that I had to download via FTP client each and every file mentioned in initial errors (yeah baby they kept increasing as I kept fixing, DB tables… first functions called is reported first, then appears the second untill 3249083294832489320849328409328th :@). Anyway, in each of these 4 Wordpress blogs directories, the following files were affected. Kindly note that the bug/worm/virus/asshole/sonofabitch/mofo/trojan overwrites a chunk of following files’ footer/bottom code with an iframe calling code of its own!

*( i’m mentioning it because if anybuddy ever searches for a query like such or get bitten by KFC Pakistan, this post would help em a lot, finding not only reasons to logically cursing the KFcukingC’s website:p but also with figuring out a solution for your Wordpress/CMS troubleshooting…)

• your-www-or-public-html-folder/or-wordpress-main-directory/index.php

• your-www-or-public-html-folder/or-wordpress-main-directory/wp-admin/index.php

• your-www-or-public-html-folder/or-wordpress-main-directory/wp-admin/index-extras.php

• your-www-or-public-html-folder/or-wordpress-main-directory/wp-includes/default-filters.php

• your-www-or-public-html-folder/or-wordpress-main-directory/wp-includes/default-widgets.php

• your-www-or-public-html-folder/or-wordpress-main-directory/wp-content/themes/wp-default-themes’-index/default-files

• your-www-or-public-html-folder/or-wordpress-main-directory/wp-content/themes/wp-classic-themes’-index/default-files

• your-www-or-public-html-folder/or-wordpress-main-directory/wp-content/themes/your-custom-themes’-index/default-files

• your-www-or-public-html-folder/or-wordpress-main-directory/wp-content/plugins/your-plugins’-index/default-files

How to Undo These Hurts?

Option 1. Now, you’d have to get hold of either the same version of new/clean/fresh file(s) your installation had OR (if you don’t have a backup, like I didn’t for 3 blogs) you’d first have to download your version of Wordpress (or your CMS’s) installation source (from here and/or from your CMS’s website) and replace each of the above files with the recently downloaded (clean) one!

Option 2. Otherwise, just fix the replaced/overwritten code at the bottom of above mentioned files IF you remember that or have in possession these files as a backup! If you don’t, read the above option, again :@

Option 3. If you have neither of the above, you can, delete everything else (after making a local/hdd copy, for just-in-case scenario) in your blog directory (only for wordpress stand-alone installations) than .htaccess and config.php. Download your version of Wordpress installation, unzip it and upload everything to the same directory you just cleaned that useless sh!t from!

• First back up all your folders and files from the root. (directory of your wordpress installation)

• Delete wp-admin folder! (Yeah it’s alright, do that or leave my post alone, get the hell outta here!)

• Delete wp-includes folder! (yea’haan, do that)

• Delete all the .php files from the root, except config.php and .htaccess files.

• Upload (the clean/fresh version of) everything you deleted back to the root folder.

• Send me a thank-you-so-very-very-very-much note for making it work for you!

Please note: This solution is also for the ones who can’t get rid of the following sort of fatal error messages, mostly appear in Wordpress 2.8.x installations/updates:

” Fatal error: Class ‘WP_Widget’ not found in /xx/xxxx/wp-includes/default-widgets.php on line 15 “

Last but not least, I’d been using this awesome life-saver plugin on Haqeeqat.Org since I first installed the wordpress blogging system on it; WP-DBManager! It once saved  Haqeeqat.Org from a huge hack already! This time, I couldn’t be saved only because the administrative end was also affected. BUT, I’d still recommend you to always keep a backup with you, wherever you are, whatever you do and whether or not you do it yourself! I mean, you can also schedule a backup via email!

KFCPakistan.com: Why it is blocked:

• Google Tells The Facts

Why The Administration of KFC Pakistan (Cupola Pakistan Ltd.) isn’t Doing Anything After Several Complaints?

• They are the typical illiterate idiots who take us, our privacy and security for-granted! Bastards….

Why The Administration of KFC International isn’t Doing Anything After Several Complaints?

• As if the rest of the world cares about us!!!

Hmmm… What Should We Do Then?

• I don’t know about YOU, I’m gonna sue them (or in case if the lawyer costs much; at least consume loads n loads of their chilli sauce from the ketchup dispenser, for free :p)!!!

Moral of the Story:

1. If and when there’s a Stop Sign with a COP on it, do observe!

2. Hot Chicks often hurt!

3. If you’re gonna have a pizza, Colonel gives a shit!

POSSIBLY RELATED POSTS:

1. Video: Motherland & The Great Pashtun, Pakhtun, Pathan Son