Posted 4 months ago
by rousso
A round-up on today’s attack
Many of our users, (especially the ones using Google Chrome) have stumbled upon a puzzling warning message today while trying to access RSS Graffiti. The message was saying that RSS Graffiti is suspicious for distributing malware and that the user should not proceed in using the site.
For the curious -and for the record- here is what happened: Yesterday (August 24th) a new exploit was found for a WordPress theme framework. It so happened that we have purchased a theme based on that framework and we have been using it for our WordPress based site (http://www.rssgraffiti.com).
Unfortunately, shortly after the new exploit was found, someone had the opportunity to use the exploit and infect our WordPress site. This resulted in Google’s crawlers downloading the content, noticing the suspicious JavaScript and black-listing the site immediately. As a result everyone using Google Chrome was getting this red horror warning a few hours later.
Actually blacklisting our WordPress site and giving you that warning was a good thing from Google Chrome. It would be good for us too if they could just block access to the infected site. Unfortunately for us, instead of blocking only the suspicious site, Google blacklisted the entire rssgraffiti.com domain and so any server that was under our domain was causing the same warning to appear. Users were alarmed and everyone here was out of the meeting rooms (at last) and helping each other to find and fix the problem.
Our product site (http://www.rssgraffiti.com) is just another WordPress site. It is totally isolated from our data center. The issue that affected the WordPress site had no impact on the health of our systems. The processing engine and the entire RSS Graffiti service and infrastructure continued to work during this crisis unaffected. What blocked your access to these systems was this browser warning which was issued automatically for any of our servers regardless if they were suspicious or not.
So, after seeing the error reports many of you sent in today, Dimitris, Viral and Aleks got on top of it and pinpointed the cause of the issue. We found the hack and found the patch; then removed the hack and applied the patch. The site was fixed. Then we had to get Google to lift the ban. Ryan called all the right numbers and pulled all the strings he could pull to help this process go fast forward. So that’s done now too. I’m not sure if you can really pull any string at Google. I’ll ask Ryan later. :-)
Any lessons? How can a hack on a WordPress theme affect an entire service like this? Well, in case of Google and Google Chrome it turns out it can. Don’t get me wrong here; Google Chrome is my favorite browser. Nevertheless blacklisting the entire domain seems like an overkill too me. I don’t know. I’m not going to jump into conclusions here. This is over. We’ll try to to think what we can do on our side to minimize the chances anything like this happens again.
Thank you all for being so patient and supportive!
2 Notes