So, regarding my last post, perhaps I owe an apology to YouTube regarding malware distribution. I have been chasing the problem for about a month now, and have finally narrowed it down to a virus known as “MPack” from Russia. This is a really nasty one and appears to have several “ports of entry” into a web site.
From what I can tell, the attacks came in through the following php that I innocently installed on my site (not this site), but have since removed:
- php Hamweather installation (nice app that gives weather in various locations). Hacked through appending .include to the URL with a perl script reference on the end. I notified them of the attack. Hopefully they have corrected it by now.
- php Mortgage calculator. Supposed to give mortgage estimations at various rates. Looks like it was malicious from the start (especially in some caching stuff with names like ‘smartie’).
- WordPress blog – could be the ‘free’ template I downloaded. Still not sure how they hacked this one.
What happened then, was that bad files got copied all over the site through the above-mentioned holes:
- news.php – Looks like a bunch of random characters wrapped in a php base64_decode, unzip and eval calls. I think it places modsoap.php elsewhere.
Hopefully its gone now, but it will never be forgotten!
This is definitely a lesson learned in not trusting php script written by others even if they are reputable folks.