Malware detected on website

One of the server we manage has been compromised, and hosting malware according to Kaspersky Anti-Virus software. The site uses a number of open-source applications such as Wordpress, Gnuboard and phpLinkDirectory. We initially thought it would be either the .htaccess or base64_encode exploit, but after close examination, we found that plain javascript snippet was inserted into one of the Gnuboard include file (bbs/visit_insert.inc.php).

The infected code only affects the search traffic originating from popular search engines such as Google, Yahoo, Ask, MSN and etc. Here is the command we used to determine infection.

[me@localhost ~]$ wget --referer google http://www.example.org -O example.txt
--2012-04-27 08:12:25--  http://www.example.org/
Resolving www.example.org... 24.123.XXX.XXX
Connecting to www.example.org|24.123.XXX.XXX|:80... connected.
HTTP request sent, awaiting response... 499 Request has been forbidden by antivirus
2012-04-27 08:12:25 ERROR 499: Request has been forbidden by antivirus.

Comments

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.