Although I do not really do an awful lot with Beijing Day Trips anymore, the site is still online and receives plenty of hits as such. Sometimes people even send me an inquiry and I can help them out.
Yesterday I was unpleasantly surprised to receive an email from the Google Search Quality Team sent to all possible email addresses for the domain beijingdaytrips.com; the subject line read “Malware notification regarding beijingdaytrips.com”.
[singlepic=276,320,240,,center]
After reading the vague email, I of course went to check immediately and what I saw was not pleasant: a dark red Google screen that said that the site I was planning to visit was malicious.
In Firefox I disabled the warning message (seems not possible in Chrome, my default browser), so I could have a look at my source code. All the way at the bottom I noticed some sort of code that I certainly hadn’t put there. It was some Javascript calling “Yahoo! Counter starts” and pointing to 2 IP addresses 218.93.202.61/cp/ and 78.110.175.21/cp/. With a quick search I discovered that these IP’s point to some Russia mafia sites for all kinds of shit you certainly don’t want on your computer.
[singlepic=277,320,240,,center]
Since the bad code seemed to be in the footer I uploaded the footer again to check if that helped. It didn’t. I then had a look at the footer.php stored on my computer and saw to my dismay that it actually had changed! That piece of shitty code had been added to my footer.php on my own very computer without my knowledge!!!
Mind you I have a paid security package from AVG that scans my computer each and every day.
So I deleted the malicious code, uploaded the clean file and had another look in the source code. Huh? Shitty code was still there! Time to contact the help desk of Namecheap. Their first response was that they could not help with Google warnings, but after explaining again they started to think with me.
Now, 36 hours later, the site is up and running again, although the Google warning still has to be removed. My best guess is that disabling the warning will take longer than them enabling it in the first place, but so be it UPDATE March 5 noon-time: site is back into safety zone, wonderful to see that they white-list as fast as blacklist!. A safer internet is what we all want, right?
If you would like to know how I eventually got rid of the malicious code, please read along.
Since uploading a clean footer.php didn’t help, I deleted all theme-files and re-uploaded clean ones: no positive results.
Then I deleted the entire WordPress installation and uploaded it again, while I was at it, also upgraded to the latest version. Again, no positive results.
I had CCleaner, Spybot Search & Destroy and AVG run full system checks. This afternoon I added another paid program: Malwarebytes’ Anti-Malware. Spybot and CCleaner came up with the usual entries, nothing to worry about and certainly nothing that pointed even remotely in the direction of this “Yahoo! Counter starts”. The full computer scan of AVG also didn’t turn up anything, so now it was down to Malwarebytes’ Anti-Malware to come up with something, otherwise it would have been EUR 25 down the drain…
It did actually find 11 malicious entries that I quarantined and deleted! Makes you wonder why the other 3 cannot pick up on that…
Since the malicious piece of code had been able to add stuff to my files, search through my entire computer to extract FTP login details, use Filezilla without causing any alarmbells to go off and upload the edited files to my server, I was not taking any risks anymore.
I changed all passwords and deleted all my existing FTP-accounts. I printed out a list of all my existing passwords (email, MySQL, WordPress login, etc.) and deleted them permanently from my computer. The only safe place is a hard copy (i.e. a paper with all this info) and you just gotta hope that you won’t lose it!
In the meantime the help desk had been checking the entire site on their end too and eventually told me that it had to be the databases. They had checked them but couldn’t find anything. Of course I could delete them and use an old backup to restore them in another clean WordPress install, but I first wanted to try out something else.
I made a list of all installed plugins and then deleted them all from the server. I checked the site and…. the malicious code was gone! 
, yup my first happy face.
I then downloaded all fresh (and therefore clean) versions of the plugins. Now I needed a secure FTP, so I did a search and came up with WinSCP. To enable it I needed to set up shell access on my cPanel and generate a public and a private key. Also Namecheap needed to enable shell access for me on their side and when that was done (and I had to write down another long password on my hard copy) I could start uploading all fresh plugins again.
It is now 2 hours ago that my site is clean again and I immediately requested Google and StopBadware to review my site.
The good thing about this experience is that I never even knew that FTP was so unsafe and that I now have Secure FTP access to my sites. With the private encrypted key, it will take a very long time for any type of software to do a “guess attack” on what it possibly could be.
I also learned that although Namecheap has not offered hosting for a very long time, they certainly make their customers feel safe in their hands. They literally have been doing anything in their power to solve this serious problem. The people that man their help desk are very valuable to the success of the organisation, something my old host could learn quite a bit from…
Namecheap Help Desk and in particular Evgeniy Z, thanks for all your support!
