2008
08.21

Malware everywhere

So, regarding my last post, perhaps I owe an apology to YouTube regarding malware distribution.  I have been chasing the problem for about a month now, and have finally narrowed it down to a virus known as “MPack” from Russia.  This is a really nasty one and appears to have several “ports of entry” into a web site.

 From what I can tell, the attacks came in through the following php that I innocently installed on my site (not this site), but have since removed:

  •  php Hamweather installation (nice app that gives weather in various locations).  Hacked through appending .include to the URL with a perl script reference on the end.  I notified them of the attack.  Hopefully they have corrected it by now.
  • php Mortgage calculator.  Supposed to give mortgage estimations at various rates.  Looks like it was malicious from the start (especially in some caching stuff with names like ‘smartie’).
  • WordPress blog – could be the ‘free’ template I downloaded.  Still not sure how they hacked this one.

What happened then, was that bad files got copied all over the site through the above-mentioned holes:

  • modsoap.php – This one periodically injected really evil Java Script into the <head> section of the index.php page.  The script looks like the following:   <script language=JavaScript>function dc(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(lots of numbers and more code here…);  Once executing, this script tries to download ActiveX controls and run .exes, exploiting IE weaknesses.  These guys did a good job of summarizing the details of the attack.
  • news.php – Looks like a bunch of random characters wrapped in a php base64_decode, unzip and eval calls.  I think it places modsoap.php elsewhere. 

Hopefully its gone now, but it will never be forgotten!

This is definitely a lesson learned in not trusting php script written by others even if they are reputable folks.

 midniteblogger.

  1. very rarely do i come across a blog that’s both informative and entertaining, and let me tell you, you’ve hit the nail on the head.

  2. fantastic points altogether, you just gained a brand new reader. What would you suggest in regards to your post that you made a few days ago? Any positive?

  3. You really make it seem so easy with your presentation but I discover this subject to become truly some thing which I believe I’d never understand. It appears too complicated and very broad for me. I am looking forward for your next publish.