14 April 2008

Malicious code hacking websites left & right

I usually don't post anything very technical here since it's my blog outside of work. But this commands immediate concern for all website owners since this trojan spread like wildfire on the internet over the weekend.

The trojan can modify all php pages of a website and add iframe codes to redirect and retrieve content from cdpuvhfzz.com. (DON'T ACCESS THAT SITE!).

It hacked one of my websites and I found out about it when it messed up a configuration on my image gallery. It also uploaded code in the form of a jpg file and a zip file posed as an image. I thought I had restored that section until my friend called me up to tell me that my website is being reported as having a virus. She used Avira anti-virus and the virus reported was Javabyte verify g.3, JS/Openconnect J.3 and HTML/Rce.Gen. My website doesn't have any java so I checked the scripts afterwards. After researching on the virus, I found code attached to some recently modified pages. It attaches this code to your page:

h t t p: / / c d p u v b h f z z . c o m / d l / a d v 9 8 . p h p


I later found out that I wasn't the only one hacked. Over the weekend, there has been a considerable amount of discussion, concern, and panic a lot of webmasters regarding this. At first it seemed that it targeted users of the Coppermine Image Gallery. But I've read that even online communities such as Wordpress, Vbulletin forums, phpBB forums and other websites have been infected. One site had to modify 10,000 php pages to remove the code which was attached in each and every page.

The domain which is included in the malicious code was registered via a Chinese registrar just last March 31, 2008 to a certain Mark Arnold.

Technical Contact:
Mark Arnold
+13.193387549 fax: +13.193387549
201 East Benton Street
Iowa City KY 522401
USA

I wonder if he's the culprit or if he's also a victim and someone's using his name and contact.

For more details, you can search for it online here.
Hope no one else has been badly hit. I'm sure this has kept a lot of webmasters on their toes for some sleepless nights.



Reactions:

2 comments:

Dave Q said...

Hi JAy!

so that's what's keeping you busy. Some of our old Wordpress installations got compromised as well. Got that fixed already.

See you around man.

Anonymous said...

Who knows where to download XRumer 5.0 Palladium?
Help, please. All recommend this program to effectively advertise on the Internet, this is the best program!

Related Posts Plugin for WordPress, Blogger...