Latest website infection

Portal Home > Knowledgebase > Articles Database > Latest website infection

Posted by WeWatch, 05-17-2011, 11:13 AM
We've been seeing more infected websites that when viewed with a browser show the following: The error always appears to show the error on line 11. As of this writing google shows 3,570 results for this error message. Some of these have already been flagged with Google's warning: "This site may harm your computer". Some haven't. We've also seen where some of the websites showing for this search term have already been cleaned. The code that is causing this error is: The above code is inserted into many, if not all, .php files which makes clean up a little difficult. For this clean-up, you can use grepWin. First you'll have to download all your website files to your local computer. Then, if you're on Windows, you can use grepWin along with this regex search string: Then set grepWin to scan all files, create a backup and to scan the folder with your downloaded files in it and hit replace. Then you can copy the new files up to your website. You're not finished. If you don't close the point of entry, the hackers will be back. Many of the infections we've seen are either the result of stolen FTP passwords or out dated software. Some have been WordPress, Joomla, or osCommerce that have not been properly secured. I think this will be growing more over the next few days. Update your sites now. Please post back with a comment if you have anything to add to this or have further questions. Thank you.
Posted by cptechie, 05-17-2011, 11:31 AM
Hello, I would like to know whether Maldetect or Clamscan detect this infection or not.
Posted by WeWatch, 05-17-2011, 11:48 AM
I dont' believe so.
Posted by humawebdesign, 05-18-2011, 10:27 AM
hi, can you share the reason.... why you do not believe?
Posted by WeWatch, 05-18-2011, 10:36 AM
Our testing showed that neither Maldetect nor Clam detected this.
Posted by stardust_x7, 05-18-2011, 12:55 PM
Yes those are sql inject, it cant be detected for sure ...
Posted by WeWatch, 05-18-2011, 01:33 PM
No it's not sql injection. The actual code, the code in the file on the website has been changed. SQL injection would be if the code were inserted into the SQL table and then when that page is rendered the code would appear. That is not the case with this infection.
Posted by EMBRobert, 05-18-2011, 02:40 PM
I've found this on a couple of sites, however clam did not find the exploit. I understand the function but I do not quite understand where $session_keys comes into play. I see this also is crashing many sites. Maybe session exploit? The sites that I have seen so far, all were storing sessions in mysql.
Posted by FastServ, 05-18-2011, 02:46 PM
That is not entirely correct. SQL Injection is a broad term and can be used to modify unescaped queries (to dump particular tables, ect) and can even include changing and executing arbitrary code and files on the server. I suggest you have a read: http://en.wikipedia.org/wiki/SQL_injection Last edited by FastServ; 05-18-2011 at 02:51 PM.
Posted by WeWatch, 05-18-2011, 03:00 PM
I stand corrected in my response regarding my use of the term SQL injection. However, in the cases we've seen, where we were able to analyze the log files, this was not a case of SQL injection.