Saturday, November 05, 2011

Weird virus on hosted site

Over the past couple of months I have been chasing a virus that has been infecting some computers visiting the church website

The actual cause, which I just found today, was a modified .htaccess file, which contained a lot of empty lines, designed to hide the last line which was:
php_value auto_append_file /home/www/[username]/files/Thumbs.db

The Thumbs.db file, obviously meant to be hidden in plain sight, contains php code like this:

So, as I understand it, this php code gets executed at the end of every php file, which when using a CMS system like drupal, means for every page.

This evaluated to including a file from some random site - and a file called showthread.php, which included some more obfuscated code, which ended up loading a java applet. The clever thing is that this only happened periodically, which means it may or may not happen on a given visit to the site. Every once in a while I'd get a 'this applet needs your permission to run' dialog from the browser, but I knew there were no applets required for the running of the site. As it only happened periodically I never managed to get a browser with tools to show up where the issue was, until today. I got the dialog, and used chromes developer tools to see that the extra php page was included. From this I googled, and eventually found that the htaccess file could be the source of the problem. More info here :

I had also been receiving a Exploit Script Injection (Type 1702) error, which points to this type of problem.

Googling about it revealed that it seems to be a wordpress or wp plugin problem. I had tried out wordpress on the site a couple of months ago, so perhaps this is the cause.

Anyway, its all gone now, and I know what to look out for, so I'll be keeping an eye for the future. Anyone with a similar problem, post a comment.