I recently discovered that a number of sites of mine were considered unsafe by Google, Firefox, Yandex … The reason was they had detected malware being served to visitors of the site. I checked a bit further and I discovered it was the Mal/Badsrc-M – Troj/PHPShll-B trojan. In each of my (WordPress and other) PHP files, the first line had been changed to
<?php /* */ eval(base64_decode("...(bad stuff)"));?><?php ...
The file is easy to clean up: you remove the eval statement and that’s it. Only, on this server several hundreds of PHP files (WordPress, MediaWiki, …) were affected. So I made a script to go through all of them and clean up. It uses the fact that
- the whole injected statement is on 1 line
- no ‘decent’, trustworthy program uses
eval(base64_decode(" ... ")) in its PHP code
- it moves the second
<?php to the second line and then removes the whole first line
So if you have the same problem, use a bash script like this and run it in the root of all your websites:
For those of you with WordPress blogs, does this look familiar?
Luckily there is a way to let IE switch the security warning off for URLs that are under your own control (like your blog, for instance):
Add your own URL to the Trusted Sites (Options/Security/Trusted Sites) and you do not get the scripting warning anymore. Happy posting!
If you’re allergic to acronyms, don’t read on. I’ve reached an all-time TLA/FLA density high in the following article!
Who knows the passwords you use for your email accounts? Who knows the password you use for your FTP account? Who knows the password to your blog admin page? There might be more than you thought!
Imagine user John Doe, with username jdoe who has the ‘strong’ password “
p@ssw0rd“. Let’s take a look at what conversation happens when his Outlook/Thunderbird email client connects to check for new messages, or when he uploads a new version of his website with Filezilla/Dreamweaver:
This is a typical FTP conversation:
Response: 220 (ID of the FTP server)
Command: USER jdoe
Response: 331 Password required for jdoe.
Command: PASS p@ssw0rd
Response: 230 User jdoe logged in.
This is a typical POP3 (email) scenario
Command: USER jdoe
Response: +OK Password required for jdoe
Command: PASS p@ssw0rd
Response: +OK jdoe's maildrop has 2 messages (320 octets)
(remark: POP3 does have an APOP command that does not transfer the password in clear-text. It is however typically used for 2nd and following POP3 connections, using a piece of information that was given in the first transaction)
Even more scary: when you log in to your blog/CMS software (that does not use a Google, Yahoo, MSN or Passport account), how does your password reach the server, you think? Encrypted? Not!
Continue reading You give out your passwords every day
My little niece had been trying for a while now to send me through MSN Messenger a picture called “How a Blonde Eats a Banana”. My reaction was, as any one’s should be: don’t know what she’s sending, nor why, there’s no prior conversation, no context, no nothing: I did not accept it. But I did not think further about it. A couple of days later I found that a) the girl’s computer had a virus, b) the virus eagerly tried to infect other PCs via Messenger, and c) had succesfully accomplished that task in several cases. One of the victims handed over his PC to me (being the family geek and all). Since it was a nasty worm, and it took me some time to disable it, here is the procedure to follow:
- The virus is a worm called W32.Serflog.A, Win32.Bropia.U, Worm.Win32.Sumom.a, W32/Crog.worm or WORM_FATSO.A, depending on what anti-virus company site you visit. I used the information on the Symantec (Norton Antivirus) site to see how it locked itself to the PC.
- The worm does several things:
- it tries to infect other PCs through Messenger (and eMule, but not too aggressively).
- It does not prevent users from ‘working’ (surfing, email, …) so I can see some people doing nothing about it while the program keeps trying to multiply.
- And, most importantly, the worm makes it very hard for even an experienced user to desactivate or remove it.
- The worm starts itself up when Windows starts. Alas, you cannot use Task Manager to see and terminate this process. The invader immediately kills any window starting up that has “Task” in its title. You cannot visit the site of a vendor of antivirus software, because they have all been made inaccessible. You cannot delete its entries from the Registry because it kills the Regedit or Regedt32 applications from the moment they start. You cannot start a DOS Prompt, because … you get the picture.
- So what you do is the following: create command prompt with a different name. Go to the
C:WINNTsystem32 (Win2K) or
C:WindowsSystem32 (WinXP) folder and copy the
cmd.exe file to e.g.
whatever.exe. Now doubleclick the last file, and you should get a command prompt (DOS box). The worm will not detect this.
- The worm works through 3 hidden .exe files:
%System%formatsys.exe - %System%serbw.exe - %Windir%msmbw.exe. We will deactivate them by making them accessible (non-hidden) and renaming them:
attrib -h serbw.exe (and the same for the other 2)
ren serbw.exe die_sucker.dead
I first tried to delete the files, but that did not work. Renaming did work, though.
- Restart your computer. The worm will try to start up by one of the three .exe files, since they are now gone, it will not run. Now start up
regedit and delete the hooks the worm had placed in the Registry (see Symantec page for details).
- Go to the
hosts file (most likely in %SYSTEM%driversetchosts) and delete the lines that made the antivirus vendors unavailable. (See Symantec page for details)
- Switch off the computer, hit yourself on the head and go and buy an antivirus program. What were you thinking? The virus would have been detected and cleaned by: F-Secure – Norton – Sophos – McAfee – TrendMicro – …
If you have been infected by it, you know you are too gullible to surf the Internet without protection.
These instructions should work on any Windows installation. You might use Symantec’s removal tool, but I had no Internet connection when I was struggling with the intruder. Took me about thirty minutes to figure out a way to circumvent the vicious sucker.
Is this a really nasty piece of software? Yes. Do I admire the person who wrote it? Not at all. It’s not clever engineering, just malevolent.