Hackers have been trying new tricks to obfuscate their malicious code and sneak it surreptitiously into benign websites. This trend is ever increasing as websites are now the weakest link in the entire malware chain. Hackers discover vulnerabilities in websites, exploit them to inject malicious bad code and voila – you have at your disposal a “trusted” website – lots of web surfers will drop by, and in turn get infected with the hacker’s malicious code. This vicious cycle of malware has become a very attractive modus operandi for the dark figures of the Internet.
There is more information about these two exploits. It is not just limited to php-based blogs and forums – larger sites, have been hit with this exploit, along with over 2,300 other websites. The average internet surfer will discover that their machine is infected with this virus when they realize their Google search results in Internet Explorer and Firefox have been hijacked – clicking on the result you want will take you to some other site. The virus will also go one step further and look for any FTP credentials on your machine in order to inject the script onto more websites. Some sites have reported that the script can also modify the permissions of specific directories to give them access to write in the files within.
What does this mean to website owners?
- Up to an hour (or more, depending on size) of cleaning up and rebuilding each site infected.
- Visitors receiving warning messages through their browser or security software that your site is dangerous.
- Possibility of being de-listed by Google to prevent spreading the virus.
So how do you protect yourself, the average internet surfer?
- Update your Adobe Reader to the latest version, and under the Edit menu > Preferences, uncheck the Enable JavaScript option.
- Update your Flash Player to the latest version.
- Update your security software and scan for spyware / viruses.
How do you clean your infected WordPress site?
- First, protect your machine as listed above. Uploading files onto your website from an infected machine will just lead to more injections of the script later.
- For the previous exploit, simply cleaning the PHP files and JavaScript’s within your WordPress installation, themes, and plugins was seemingly enough. But the new exploit will go further and add the injected script to JavaScript and HTML files anywhere on your site, down to the simple readme.html files that come with themes, plugins, etc.
- The newer scripts also add an images.php and/or gifimg.php file with the malicious code to many or all of your images directories, from the main one down to image directories in themes, plugin folders, and so on.
- If you have to go in and remove the malicious code manually, you will find it in the top of PHP files, near the bottom of JavaScript files, and in the head area of HTML files between script tags. Also in the injected images.php and/or gifimg.php files in image directories. The code can vary from site to site, even page to page.
How do you protect your website from further attacks?
- For WordPress, apply recommended security measures.
- Do not save/remember your FTP credentials or administrative logins to your websites. Also, be sure to use a secure FTP client.
- Keep a clean backup of the latest changes you have made to your site. The better your backup, the faster your rebuild process if this happens to you.