I am now almost certain that the website was victim of a malware/trojan exploit (cf. recent news) because I had an old version of Adobe Reader installed, and not because of lack of Windows Updates or carelessness with downloads and such.

The irony is, I'm not even using Adobe Reader, I'm using FoxitReader ever since versions 8 and 9 of Adobe Reader became so slow and bloated. But having not heard before of all the vulnerability problems with Adobe software, I still had the old version 7 lying around.

Read on for useful links and tips for Windows users...

While I didn't use Adobe Reader myself, the plugin was still present and active in the browsers! That's a very important point! I highly recommend to all Windows users to either uninstall Adobe Reader entirely and get FoxitReader, or to make sure you have the most up-to-date version of Flash and Reader (so that your browser plugins are uptodate), AND go to Adobe Reader Preferences > Javascript and TURN OFF Javascript.

Having an up-to-date anti-virus can protect you, but won't solve the root of the problem. Windows users who haven't updated their Adobe plugins (Reader/Flash) since May 13, do it ASAP!

PS: last time I checked Adobe Reader 9 was still incapable of remembering the last visited page of recently opened PDF documents (think of a "bookmark"). When you download a lot of documentation in PDF format, it's very handy to go to the File menu, and pick one of your recently opened documents, and continue reading from where you last were. That feature alone is worth downloading FoxitReader (it is also a standard feature on MacOS's PDF viewer).

Useful links

• Adobe Confirms PDF Zero-Day, Says Kill JavaScript (Slashdot)
• FoxitReader, lightweight, FAST PDF Reader (download.com)
• Gumblar Malware Exploit Circulating (us-cert.gov)

The website recovery yesterday has affected a couple scripts from our extremely prolific author woelpad! (apologies, as I had to restore the site from a copy that had small differences in the code).

Please check the Woelpad's scripts topic for the updated scripts (as of writing woelpad has updated "Alter Sequence", and "Substitute Keywords"). Also see RevTK Lite.

On Thursday May 14, approx 5pm US time, the website fell victim to a very recent malware exploit dubbed "Grumblar.cn" (also identified as "Js:Redirector" by the aVast antivirus software).

Reviewing the Kanji was in good company with much bigger sites like Variety.com and Tennis.com among the victims... though that is little consolation.

So how did it happen ?

Read on for the gory story, and some instructions for Windows users who would have visited the site yesterday, and who may have been exposed to the malware.

First let me clear up a couple things:

• I'm using a fairly secure FTP password made of a lot of uppercas/lowercase letters mixed with random special characters, not something easily guessed.
• My computer is "clean", and I rarely ever use P2P programs or download "cracks" these days.

Still, I found a trojan on the computer.

As I was doing an update yesterday by FTP, the trojan detected my password and sent it to the hacker's site. Just an hour later, their script logged in with my credentials and injected their code into 500+ files in a matter of SECONDS!

My best guess is that this trojan found its way into my computer because I had Windows Updates on "manual", and didn't use resident virus protection (I usually scan files, but don't run the cpu-hogging local protection). Since this exploit is very recent, many infected websites are not yet blacklisted, and Google Chrome wouldn't show the security warning. On top of that, I found out that both aVast and Malware Bytes could not detect the trojan unless the virus database was just a COUPLE days old!

Which brings me to this important observation: if you use an anti-virus leave the automatic updates on, otherwise they are simply useless. Next, if you're a sucker for optimization like me, then I would recommend with aVast to keep at minimum the "Web Shield" and "Network Shield".

I was also being over-confident with the non-Internet Explorer websites. This javascript malware exploits vulnerabilities in the Flash and Adobe Acrobat Reader plugins. This means that you can catch the malware regardless of which browser you use! A good lesson learned!

These are the steps I took to clean up the site and make sure it doesn't happen again:

• First I removed the trojan with the help of this article.
• After removing the Trojan I was able to update the virus database of aVast Home Edition and Malware Bytes. I ran a complete scan and nothing else was found. Again I want to point out the fact that a complete scan with a virus database dated 10 May did not detect anything!
• After verifying that the trojan was gone (it blocked regedit and cmd.exe among other things), I updated the FTP password.
• Switched Windows Updates to automatic instead of manual.
• Enabled some resident protection in aVast: "Network shield" and "Web shield". aVast displays a warning if you access a page with this malware.
• Using a local copy of the production environment, I uploaded again all the php, html and javascript files. I double checked all the files with a FTP log of the hacker's script and all the files they touched. Because my local copy was not 100% up to date, and contained some experiments, it made the "restoration" process longer and more difficult.

If you are a Windows user, AND you visited the website Thursday after approx. 5 PM US time until the website was taken down, and you didn't have all the latest Windows updates AND didn't use resident virus protection, I would highly recommend that you run a complete hard drive scan with Malware Bytes, and make sure that the virus database is dated 14 May or later.

FOR WINDOWS USERS:

The easiest way to check that your computer is clean is to go to the Start menu, choose "Run..." then type in "cmd" or "regedit" and press Enter. If you don't see the command shell window, or the regedit window, and the desktop seems to redraw itself, then you may have the trojan. Hopefully nobody will have been infected between the time the site was hit and when I was able to take it down. If you think you caught the trojan on a Windows OS, please post in this topic and I'll do my best to help.

I'm really sorry and sincerely hope nobody's computer was infected through this site. I've taken steps that I believe will make this very unlikely to happen in the future.

With that said, there's only so much you can do when you use Windows! This experience was a good reminder that not using IE is in fact NOT a guarantee for virus/malware protection.

Many thanks to member Burritolingus who first reported the problem.

Development of the website is ongoing, and the refactoring of the existing website pages/features is almost complete.

Last week I have converted the Leitner bar chart to SVG (VML on Internet Explorer), with the excellent Raphaeljs javascript library. I was surprised to find that the graphics can work flawlessy in all major browsers: Safari, Opera, IE, Firefox, Chrome! This is very exciting because it means I don't need to use Google Charts, or FLASH, or complicated image/css tricks to do graphs anymore, I can draw them directly with simple vector graphics operations, and basically draw the charts any way I want!

As a result of this I have just added an option to switch the bar chart view between "simple" and "full" mode wherein "full" view you can see the 8 card boxes of this site's Leitner-based reviewing system.

I am now aiming to publish the refactored site around 22 May.

To be able to meet this deadline I decided to move the Study area features for the very next release, and instead I am working on adding options to be able to manage flashcards freely, by adding any single card or range or cards, specified by RTK/"Heisig" frame number, OR by kanji. I am DETERMINED to make the review part of the site better!!

So the following Study area changes should be implemented in the very NEXT release after the upcoming May release (in other words, it would be the first update of the refactored site):

- Tagging your stories as "explicit" so that users can choose whether they want adult/visually explicit stories or not.

- Tagging the language of your stories, and allowing users to switch between languages in the shared stories area.

- A "Helpfulness"rating similar to that on Amazon. Basically the main difference is that you can vote DOWN something without necessarily "reporting" it. At the same time I am considering a few preset reporting options to let users flag stories that are not properly tagged.

Those Story area changes are not set in stone yet and comments and suggestions are welcome (please use this topic) !