The above review is focused on the service provided tied to The Service Group Website available here :
As a young entrepreneur who is sort of making it with a few small business, I found the following post extremely interesting. Please don’t misinterpret my interest in this post as a definitive political stance one way or the other. I just thought this was some interesting data and interesting censorship from TED. Check it out.
I recently finished reading Facebook for Parents. I whole heartedly recommend this book to any parent of a pre-teen or teenager. You can find out more about this book at
Dr. Fogg and his sister, Linda Fogg Phillips, provide practical information and advice that I believe will help me to deal with my daughter when she starts using social media like Facebook. Dr. Fogg provides some extremely valuable information regarding Facebook and Facebook privacy policies and Linda’s practical parenting advice offers some great techniques for leveraging the information provided by Dr. Fogg. I especially enjoyed how the authors are quick to point out the benefits as well as the pitfalls of Facebook. I fully plan on recommending this book in my upcoming courses for Parenting Teens and Technology.
This content is reserved for current DrIST Coach Clients. If you are an existing DrIST Coach client please click the link below.
If you are interested in any of our educational or technical services please visit our Contact Us page or simply give us a call. Thanks!
Only slightly further inspection reveled a few newly introduced index.php files with the following
// Silence is golden.
Following identification I moved on to attempting to determine the scope of this attack. This turned out to be much trickier then I first thought it would be. For a full run down of how I finally ascertained the attackers access (through blunt force trial and error), please read my post on WordPress and Toolpack. Short of the long is that the attacker had multiple successful attack vectors and was able to execute their own php code on our clients server through a few different instances of Toolspack.php. In order to identify malicious php files that were placed on the server I used grep to search for any files that contained base64_decode. I removed all the files that contained bas64_decode which did not match the core files in Wordress. It is important to note that some of the default WordPress files used for rss and atom feeds utilize basee64_decode. Following removing ALL the malicious code (this took awhile) I generated new keys for WordPress, changed all the passwords to the site using the WordPress Key Generator. You need to check all files on your website and your database for any issues. I used the following script to check my database content
SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%' UNION SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%' UNION SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'
As recommended by this fairly popular post. I will be the first to acknowledge that the above script is absolutely not the end all be all for checking your database content. It is simply a good start for identifying anything obviously malicious. So that was pretty much it, same remediation as every other attack: Discovery, Scope and Vector Identification, Remediation, and Continuous Monitoring following the attack. Here are a few good links that may help you out if you WordPress site is hacked.
That’s weird I didn’t see a ToolsPack in the UI… hmm what’s inside the php file OOOHHH MY EVIL PHP batman!
Well this has to be the problem I ASSUMED. If you aren’t familiar with what Toolspack.php does, here is the breakdown. It basically evaluates whatever base64 encoded code is sent to it. You can imagine the evil that can be done by someone who is remotely able to run code on your system. This should have been an HUGE indicator to me to CHECK ALL MY ASSUMPTIONS. Rather then checking all of my assumptions, I only checked my clients WordPress files and database which I was requested to check. I informed my client once again that they were most likey good to go, but that we should continue monitoring the site (at least I had the presence of mind to keep monitoring the site) . Feel free to translate that last sentence as “Over confidence led me to sticking my foot in my mouth, again.” To recap at this point :
- I removed all malicious code from the plugins and theme files
- Changed the admin password (literally 3 times by this point)
- Checked the database for malicious code
- Replaced all the core WordPress files with the original WordPress files
- Configured the .htaccess files to reject a few malicious bot’s access to the site
- Regenerated the salt and key in the wp.config file
So at this point I didn’t assume anything I knew that if there was an issue within the client’s WordPress instance that I had resolved it. I literally had left nothing to chance. However my initial ASSUMPTION was never validated partly because I gave my client the benefit of the doubt that this attack was limited to a single website/Wordpress instance. When the malicious code returned this time, I flipped out. I informed my client that this attack had to be wider then the site and that I needed shell login access. In case I didn’t make it clear earlier Toolspack.php allows you to evaluate code remotely. If I were an attacker and I could evaluate code I would instantly install a backdoor. Which is exactly what the attacker did utilizing a number of the other websites hosted on my clients server. I started by greping for base64_decode on all the websites that were sharing the hosting space. Ooh the evil I found. MadCmdShell shown above is one of the many many evils that I found hosted on these shared sites. Once I had login access and could grep all the files on the server I informed the client of the extent of the pain they were suffering, to which they quickly decided to remove old sites and unneeded code. Fortunately good did seem to prevail as their site now appears to be running smoothly without serving up malicious code.
DrIST Coach is going live on facebook now. We will do our very best to keep our social media up to date and we hope that you check back on our site as often as possible.
I won’t make you read the whole article to get the point that SEO starts with keyword research. That’s right Keyword Research, not meta tags, not title or header tricks, not link building, not even site map submission. It starts with Keyword Research. I have consistently found that our customers would like be at the top of google’s search page, but often have no clue what terms they would like to return first in… let me give a fictional dialogue, between DrIST Coach Consulting (DCC) and a fictional Auto Body Company (FABC), to illustrate my point.
We really need to improve our SEO and search ranking so that we can get more people to our website! (Sound familiar)
Awesome, we would love to help you with that. Do you have any idea which keywords people are using relevant to your line of work?
I just want to make sure that we return at the top of Google’s list when people search for us
Search for you how? Using your companies name?
Yeah that’s a good start.
Would you also like your customers to find you searching for other terms? Like maybe Local Auto Body Shops?
That would be awesome!
Ok well we need to start by identifying the terms that you think people might be using to find your company and then we also need figure out what terms are searched more often so that we can get you the best return on your SEO investment.
That sounds like a lot of work, I really just want to be at the top of Google when people search for the company
This is the part where our consultants refrain from slapping their forehead and repeat the above conversation.
Proper SEO within a website will help to direct potential customers/clients to pages which provide information which a potential customer/client finds relevant and useful. In other words proper SEO helps people find the proper website. Improper or SPAM SEO will never provide lasting results. It is literally Google’s job to make sure that hacked SEO rankings get demoted. This is why Google retains so many users; they help users find what they are looking for! It’s simple and brilliant; help people find what they want and they’ll love you for it. Ergo, help people who are looking for you find you.
Keyword research helps you to identify specific terms that you can use to target potential clients. Keyword research also lets you identify what terms are already highly competitive and what terms are less competitive. By targeting the less competitive terms you can increase your SEO ROI efforts. Let me ground that in a specific example. In the image shown above I am using Google’s Keyword Tool (available here) to research how often people search for the terms “SEO Consultant” and/or “SEO Consulting”. What I found very interesting is that these terms were searched for a fair number of times but other terms like SEO company were fair more competitive. This is great news for me if I want to develop pages that will be returned high on Google’s search rank for “SEO Consultant”. Because my site offers “SEO Consulting” and I am an “SEO Consultant” I don’t have to worry about users coming to my site searching for those terms and being disappointed. I just need to make sure that use the other tools discussed on this site to make sure my site is as SEO friendly as possible.
It’s hard to believe with as many commercials and warnings that we see out there we still need to talk about not putting usernames and password or credit card information in email… and yet here I am about to talk about it again. The fact of the matter is that I still have customers that don’t understand how easily attackers are able to gain access to email accounts. Most security professionals will admit that at some point or another their email has been compromised. Why does this happen? Mostly because we check our email from literally everywhere, and every location that we check our email from could be location that an attacker has been before us. The process is fairly simple. If an attacker has installation rights on a computer, than they install a program called a key-logger. The key-logger simply logs the keys that are pressed and then sends them to the attackers machine. Libraries, colleges and hotels are notorious for having key loggers installed on their computers. Having an attacker gain access to your email is annoying, but as long as you don’t have all your passwords, medical information and credit card information stored in your email then you don’t have much to worry about. Another very common approach is simply through a process called man in the middle. Man in the middle attacks require more explanation which you can read about elsewhere. The primary point is simple don’t be the easy email target and don’t put information in your email that is highly sensitive. It’s just not worth the risk. When you need to share sensitive information, I recommend a phone call, or text message. Not to say that either of these techniques are flawless, but I do believe that they are the lesser of two evils.