posted by admin
on Fri, 04/27/2012 - 10:15
One of the server we manage has been compromised, and hosting malware according to Kaspersky Anti-Virus software. The site uses a number of open-source applications such as Wordpress, Gnuboard and phpLinkDirectory. We initially thought it would be either the .htaccess or base64_encode exploit, but after close examination, we found that plain javascript snippet was inserted into one of the Gnuboard include file (bbs/visit_insert.inc.php).
The infected code only affects the search traffic originating from popular search engines such as Google, Yahoo, Ask, MSN and etc. Here is the command we used to determine infection.
[me@localhost ~]$ wget --referer google http://www.example.org -O example.txt --2012-04-27 08:12:25-- http://www.example.org/ Resolving www.example.org... 24.123.XXX.XXX Connecting to www.example.org|24.123.XXX.XXX|:80... connected. HTTP request sent, awaiting response... 499 Request has been forbidden by antivirus 2012-04-27 08:12:25 ERROR 499: Request has been forbidden by antivirus.
Comments
Add new comment