Dear blog owner and visitors,

This blog had been infected to serve up Gootloader malware to Google search victims, via a common tactic known as SEO (Search Engine Optimization) poisioning. Your blog was serving up 376 malicious pages. Your blogged served up malware to 19 visitors.

I tried my best to clean up the infection, but I would do the following:

• Upgrade WordPress to the latest version (one way the attackers might have gained access to your server)
• Upgrade all WordPress themes to the latest versions (another way the attackers might have gained access to your server)
• Upgrade all WordPress plugins (another way the attackers might have gained access to your server), and remove any unnecessary plugins.
• Verify all users are valid (in case the attackers left a backup account, to get back in)
• Change all passwords (for WordPress accounts, FTP, SSH, database, etc.) and keys. This is probably how the attackers got in, as they are known to brute force weak passwords
• Run antivirus scans on your server
• Block these IPs (5.8.18.7 and 89.238.176.151), either in your firewall, .htaccess file, or in your /etc/hosts file, as these are the attackers command and control servers, which send malicious commands for your blog to execute
• Check cronjobs (both server and WordPress), aka scheduled tasks. This is a common method that an attacker will use to get back in. If you are not sure, what this is, Google it
• Consider wiping the server completly, as you do not know how deep the infection is. If you decide not to, I recommend installing some security plugins for WordPress, to try and scan for any remaining malicious files. Integrity Checker, WordPress Core Integrity Checker, Sucuri Security,
  and Wordfence Security, all do some level of detection, but not 100% guaranteed
• Go through the process for Google to recrawl your site, to remove the malcious links (to see what malicious pages there were, Go to Google and search site:your_site.com agreement)
• Check subdomains, to see if they were infected as well
• Check file permissions

Gootloader (previously Gootkit) malware has been around since 2014, and is used to initally infect a system, and then sell that access off to other attackers, who then usually deploy additional malware, to include ransomware and banking trojans. By cleaning up your blog, it will make a dent in how they infect victims. PLEASE try to keep it up-to-date and secure, so this does not happen again.

Sincerly,

The Internet Janitor

Below are some links to research/further explaination on Gootloader:

https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/

https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/

https://www.richinfante.com/2020/04/12/reverse-engineering-dolly-wordpress-malware

https://blog.sucuri.net/2018/12/clever-seo-spam-injection.html

This message

On September 6, Gary Balduc brought a side-blade and grader to the head of the lane and completed the 450 yards of SBL’s gravel lane. To ensure the longevity of this repair, a dozen or so rig-mats were added beneath the gravel to create a solid foundation that will no-doubt have us with a passable lane for the foreseeable future. Although the repair wasn’t cheap, it ensures that any visitors that may want to join us at The Lodge can do so without worry of transportation. Unfortunately, however, that also means we’ll probably see more of Ferg.

Drivable without 4×4

Proving to be a big day for the balance sheet of The Lodge, The Official Scuttletruck was purchased as well on September 6th. Shiny white, with very little rust, The Scuttletruck will rest permanently at the Lodge and serve dual purpose as water truck and decoy hauler. Photos will have to come later as it’s being fashioned with flood lights, new breaks and decals. The anticipation is almost too much!

Opening Day 2016

They say “no man is an island”; however, I can assure you, a Lodge can be.

The water has not receded much since 2015, in fact you could even argue the “sea level” has risen over the winter and spring in Southwestern Manitoba. Nonetheless, September Long Weekend is still coveted as the beginning of our annual goose harvest – truly, come hell or (literal) high water.

Bubba Carey and dad made their way down to SBL to see if they couldn’t scare up a few dots for the chart. With only 37 harvests required to reach number 4,000 in SBL’s history, it is a case of “when” and not “if” we reach the next big number in our record books.

With a slight torrential rain forecasted, the two guys were only able to hunt the one morning but were able to post 2 white dots on the chart, setting things up for a perfectly mid-September run at 4,000.

I will be home on September 16th to hunt with Dad, Bubba, Fake Dr. LePage and John & Matt Donald. If you’re near your phones on that weekend, feel free to give us a call or a FaceTime to be part of the Chase to Number 4,000. The count down has begun, only 8 more sleeps!

2 Honkers, 3 Mallards