[Nottingham] A Google Webmaster Scam?
Martin
martin at ml1.co.uk
Thu Dec 20 00:19:25 UTC 2012
Folks,
OK, so no scam from Google other than their merry trip through their
systems instead of just simply listing the problem in the first place.
Thanks to them for finding the malware redirection. However, rather an
irksome merry goose chase for not listing the exact problem in the first
place!
So, it looks like the NLUG site got hit with an uploaded file "auth.php"
into the users upload area some time ago:
65K 2012-07-21 21:37 auth.php
The date is confirmed by the surrounding backups.
The site is left 'read-only' except for the brief window during
updates... The "iframe redirection" to "ozecqnxm.qhigh.com" insertion
into the .js files was noticed recently and fits with the dates on those
files:
2012-12-17 22:01
Which is about the time I did the latest update... Confirmed by the
previous backup being clear and the following backup showing the .js
malware modifications.
ALL the .js files in the website were hit.
So far, I've moved the auth.php out of the way, and sed has cleaned all
the .js files
The database looks clean unless there is nefarious obfuscation in there.
I am checking further to see how well the linux permissions contained
the damage, or not...
Comments and observations welcomed. Sorry for any problems caused by the
scumbag infiltrators.
Cheers,
Martin
--
- ------------------ - ----------------------------------------
- Martin Lomas - OpenPGP (GPG/PGP) Public Key: 0xCEE1D3B7
- martin @ ml1 co uk - Import from hkp://subkeys.pgp.net or
- ------------------ - http:// ml1 .co .uk/martin_ml1_co_uk.gpg
More information about the Nottingham
mailing list