GoFuckYourself.com - Adult Webmaster Forum - View Single Post - Better check your JS and PHP files [new malware injects]

gabe100 · 01-10-2012, 10:14 AM

If you don't think you're vulnerable read about my nightmare below. It's quite embarrassing. I don't post much. No one wants to write a story like this, hopefully it helps someone.

I was hit Thanksgiving day of last year. 12 years running adult sites and never a problem. In my case, the permissions on 1 php file within openx were wide open. Permissions don't sync across servers and malware was injected on my splash redirecting to a Russian site. Multiple shells were installed and if you have ever seen your backend/library via a shell with Russian headers and tags, it's the scariest thing ever.

Quite elegant too, all your folders and files are color coded, everything wide open.

The second scariest thing is looking at the code injected on to the page itself. In my case the code was 7 or 8 strange characters, you can't even see the redirect buried at the very bottom of the page. The page is straight HTML, a simple warning page. Super clean. The characters look like the innocent copyright tags.

That code referenced scripts buried far in my file structure.

Ad Words suspended, Banned from Google. Cybercat pulling me, TJ yanked me. Kenny emailing me, Paperstreet emailing me. Pornhub video b gone. Exo paused. NIGHTMARE!

That was my Thanksgiving.

The good part is it didn't last long. Once clean I resubmitted to google and within 5 seconds I was approved and it was like nothing ever happened. All references to us distributing malware within google search vanished.

What saved us was clonebox and Ray, having a great host and my man Konrad. The very early symptoms won't be apparent. First extremely vague warnings from Avast, then AVG then it gets wide out and the messages start rolling in from customers and partners. The nightmare really starts once you get banned from google. All paid SEO Gone, all organic SEO replaced with malware warnings.

Multiple servers on lockdown, thousands of folders each with perfect permissons set and yet 1 file wide open.

Looking back it's probably best it happened because other measures are now in place to ensure that never happens again.

Check your permissions and and at the very least, get a script installed that alerts you to any changes on your boxes. Having a firewall on your FTP/SSH isn't enough. These new malware injections are pretty clever.

Rather embarrassing, I had to learn the hard way. Hopefully you won't have to.

01-10-2012, 10:14 AM
gabe100 Confirmed User Join Date: Dec 2002 Posts: 459	If you don't think you're vulnerable read about my nightmare below. It's quite embarrassing. I don't post much. No one wants to write a story like this, hopefully it helps someone. I was hit Thanksgiving day of last year. 12 years running adult sites and never a problem. In my case, the permissions on 1 php file within openx were wide open. Permissions don't sync across servers and malware was injected on my splash redirecting to a Russian site. Multiple shells were installed and if you have ever seen your backend/library via a shell with Russian headers and tags, it's the scariest thing ever. Quite elegant too, all your folders and files are color coded, everything wide open. The second scariest thing is looking at the code injected on to the page itself. In my case the code was 7 or 8 strange characters, you can't even see the redirect buried at the very bottom of the page. The page is straight HTML, a simple warning page. Super clean. The characters look like the innocent copyright tags. That code referenced scripts buried far in my file structure. Ad Words suspended, Banned from Google. Cybercat pulling me, TJ yanked me. Kenny emailing me, Paperstreet emailing me. Pornhub video b gone. Exo paused. NIGHTMARE! That was my Thanksgiving. The good part is it didn't last long. Once clean I resubmitted to google and within 5 seconds I was approved and it was like nothing ever happened. All references to us distributing malware within google search vanished. What saved us was clonebox and Ray, having a great host and my man Konrad. The very early symptoms won't be apparent. First extremely vague warnings from Avast, then AVG then it gets wide out and the messages start rolling in from customers and partners. The nightmare really starts once you get banned from google. All paid SEO Gone, all organic SEO replaced with malware warnings. Multiple servers on lockdown, thousands of folders each with perfect permissons set and yet 1 file wide open. Looking back it's probably best it happened because other measures are now in place to ensure that never happens again. Check your permissions and and at the very least, get a script installed that alerts you to any changes on your boxes. Having a firewall on your FTP/SSH isn't enough. These new malware injections are pretty clever. Rather embarrassing, I had to learn the hard way. Hopefully you won't have to.