Written By:
lprent - Date published:
2:25 pm, October 5th, 2008 - 10 comments
Categories: admin -
Tags: geek, malware, wordpress
After a lot of work both by a few e-mails from people here and by the good services of some people on nz.comp (google seems to be a little behind on the messages) I finally found the link to the malware site that was attached itself to the site footer.
The material that it was trying to introduce to people reading the site may include various forms of backdoors. It would be adviseable to run a good virus scan on your system if you have read the site in the last couple of weeks. Corporate systems shouldn’t have had an issue because the site it was linking to has been a well known chinese malware site for a long time.
The anti-virus/malware scans missed it at the server because it was a new variant of an old problem (the same one I had in march), targeted specifically at wordpress sites using what is evidently is still a open vunerability. My own checking of the site missed it because it had managed to leave all of the file attributes of the file (size, times, etc) exactly the same as the origionals. My attempts to see what people were reporting had failed because it only emitted the malware link out periodically. A dump of the web page at the client side by Stephen Worthington allowed me to see exactly what it was doing.
The vunerability it was exploiting was meant to have been fixed in wordpress 2.5, however they seem to have found another vunerability. The downside of having open source software is that it is possible to read the code looking for holes. I’ve done some things to reduce possible problems, but I now have MD5 hash check of the files running periodically which will fix the problem if it happens again. I’ve also reported the details to wordpress and a couple of other sites.
But there are some very creative people out there writing this stuff, and evidently this site is popular with them.
Lynn
Oh hurrah!
if you have read the site in the last couple of weeks.
Once or twice…
So, do you have any idea as to what to look for (by way of backdoor payloads) on our systems? What files where?
Is MacOS X affected?
Mostly what it did was to set a cookie on thestandard.org.nz with the name ‘yagh’. It then attempted to bring in links from a site in china. Which then branched off into other sites (about 15). It did it once and then stopped doing it – the code said that it only did it if the cookie wasn’t present.
I have a log (on the nz.comp) of what it was trying to do in one instance – starts at gstats (dot) com. I’m not too sure exactly what in the hell it was doing (and I’m unwilling to go to the sites to find out).
Most of them are probably just trying to raise the google rank. But it is a good bet that at least some of them tried to install something.
I’ve never seen any of this going on. I got the cookie but got silent blocking on the rest. When I cleared the cookie and made the AV non-silent, then I got a series of malware site warnings.
That’s also the upside. I suspect that there are more people reading the code who will be honest and report, and possibly fix, the vulnerability than will be people looking for a back door.
It hit me and I ran screaming (well, figuratively) away and ran various checks which came up with nothing. But I’ll do it again now I have some idea of what to look for.
Thanks for your sterling efforts, Lynn. You really should have some sort of mask, cape, and maybe a lycra suit (I’m sure Michael Laws can spare one from his wardrobe).
As an aside, I can understand spending time on creating these annoyances to gain something (e.g. a higher Google ranking, which = hits which, they hope, = money). But I’ve never got my head round the idiots who merely create destruction. I mean yes, we know Microsoft is the Evil Empire with buggy software and more holes than a pole dancer’s crotch piece. Unleashing yet another piece of malware isn’t telling us anything new :-/
Thank you Lyn.I was frightened as I thought I had been hit up the backdoor by some nasty thing.
Hi dad.
(duplicate could be removed – ta)
Mostly what it did was to set a cookie on thestandard.org.nz with the name ‘yagh’.
Mine has ‘yahg’ so I’m guessing your typo above. Thanks, and let us know if anything crops up that we should be testing for / looking out for.
Treat it as a perverse compliment – we must be doing something right.
MacOS X is based on a version of BDS Linux and should not be affected.
Fine Hacking, Lynn ..
Yes (BSD Unix) that means we’re almost certainly safe, given that most malware targets the Windows monoculture, but you never know. I had a Mac virus once back in 1993, so anything’s possible, one day I might get another…
I was frightened as I thought I had been hit up the backdoor by some nasty thing.
Giggity Giggity!!! Oh yeah…
Quagmire is my hero