[Nottingham] A Google Webmaster Scam?

Martin martin at ml1.co.uk
Wed Dec 19 18:42:54 UTC 2012

On 19/12/12 18:05, David Aldred wrote:
> Martin, I saw a similar 'infection' 2-3 years ago on a site which I had
> a hand in, but didn't actually manage (until this happened, when the
> usual site maintainer panicked!)
> The first step was to delete the offending javascript.   It promptly
> came back.   I then identified a separate javascript file containing a

Thanks for all that.

Well... I've found a rather suspicious and very nasty looking out of
place "auth.php" script in the uploads area... Now removed for further
looking at later.

There's now a sed going through all the .js files to remove the
offending redirection.

A check on dates and the route inwards will come later.

So far, the site still works despite the sed rifling through everything!

I've also got a before backups and an after backup for a good comparison.

All irksome sneaky stuff!

More details after the Christmas Nosh!


- ------------------ - ----------------------------------------
-    Martin Lomas    - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- martin @ ml1 co uk - Import from   hkp://subkeys.pgp.net   or
- ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg

More information about the Nottingham mailing list