MidniteBlog

So, regarding my last post, perhaps I owe an apology to YouTube regarding malware distribution.  I have been chasing the problem for about a month now, and have finally narrowed it down to a virus known as “MPack” from Russia.  This is a really nasty one and appears to have several “ports of entry” into a web site.

 From what I can tell, the attacks came in through the following php that I innocently installed on my site (not this site), but have since removed:

•  php Hamweather installation (nice app that gives weather in various locations).  Hacked through appending .include to the URL with a perl script reference on the end.  I notified them of the attack.  Hopefully they have corrected it by now.
• php Mortgage calculator.  Supposed to give mortgage estimations at various rates.  Looks like it was malicious from the start (especially in some caching stuff with names like ’smartie’).
• WordPress blog - could be the ‘free’ template I downloaded.  Still not sure how they hacked this one.

What happened then, was that bad files got copied all over the site through the above-mentioned holes:

• modsoap.php - This one periodically injected really evil Java Script into the <head> section of the index.php page.  The script looks like the following:   <script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(lots of numbers and more code here…);  Once executing, this script tries to download ActiveX controls and run .exes, exploiting IE weaknesses.  These guys did a good job of summarizing the details of the attack.
• news.php - Looks like a bunch of random characters wrapped in a php base64_decode, unzip and eval calls.  I think it places modsoap.php elsewhere. 

Hopefully its gone now, but it will never be forgotten!

This is definitely a lesson learned in not trusting php script written by others even if they are reputable folks.

 midniteblogger.