[Nottingham] A Google Webmaster Scam?

Martin martin at ml1.co.uk
Thu Dec 20 00:19:25 UTC 2012


OK, so no scam from Google other than their merry trip through their
systems instead of just simply listing the problem in the first place.

Thanks to them for finding the malware redirection. However, rather an
irksome merry goose chase for not listing the exact problem in the first

So, it looks like the NLUG site got hit with an uploaded file "auth.php"
into the users upload area some time ago:

65K 2012-07-21 21:37 auth.php

The date is confirmed by the surrounding backups.

The site is left 'read-only' except for the brief window during
updates... The "iframe redirection" to "ozecqnxm.qhigh.com" insertion
into the .js files was noticed recently and fits with the dates on those

2012-12-17 22:01

Which is about the time I did the latest update... Confirmed by the
previous backup being clear and the following backup showing the .js
malware modifications.

ALL the .js files in the website were hit.

So far, I've moved the auth.php out of the way, and sed has cleaned all
the .js files

The database looks clean unless there is nefarious obfuscation in there.

I am checking further to see how well the linux permissions contained
the damage, or not...

Comments and observations welcomed. Sorry for any problems caused by the
scumbag infiltrators.


- ------------------ - ----------------------------------------
-    Martin Lomas    - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- martin @ ml1 co uk - Import from   hkp://subkeys.pgp.net   or
- ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg

More information about the Nottingham mailing list