[Nottingham] A Google Webmaster Scam?

David Aldred davidaldred at gmail.com
Wed Dec 19 18:02:52 UTC 2012

Martin, I saw a similar 'infection' 2-3 years ago on a site which I had a
hand in, but didn't actually manage (until this happened, when the usual
site maintainer panicked!)

The first step was to delete the offending javascript.   It promptly came
back.   I then identified a separate javascript file containing a load of
gobbledygook as a string - which was then being decoded and evaluated and
doing nasty (but apparently rather clever) things.  Clobbered that.  It
came back.  There must have been a second restorer of some sort.

Now people were *really* panicking.

The process I ended up with was:

1.  Copy the site to a local machine
2.  Delete the entire site.
3.  Change passwords, and make them good.
4.  Put up a holding page, plain HTML, no JS.
5.  In the local copy, grep every HTML/PHP file for any inclusion of
javascript and make sure  it was the right javascript
6.  Grep all javascript for the offending URL.  Also manually inspect any
javascript for encoded stuff.
7.  Check that the plain HTML holding page hasn't been changed.   This
gives a reasonable assurance that there is no actual logging in to change
things going on.
8.  Restore the cleaned site
9.  Put in a cron job to flag any filesize changes on core HTML/PHP files
or any javascript
10.  Wait 48 hours
11.  Tell Google it's clean.

I left the cron job running for about three months, and nothing further
unexpected happened: if anything had changed the files again I'd have known.

On a Wordpress installation, the 'clear site and rebuild' will probably
mean restoring a clean Wordpress and making sure all official updates are
installed, and you can leave the grepping  of Wordpress-created PHP files
as you won't be reuploading them.  Also check your SQL database for any
odd-looking code in text data.

David Aldred
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20121219/9e5f9e50/attachment.html>

More information about the Nottingham mailing list