I apologize that this post is fragmentary. I lost much of the info before I got it posted.
My engineering and software web site http://www.hawsedc.com kept getting infected by a "pinoc" worm or virus that would insert html into my pages, and then Norton Antivirus would tell visitors that my site was bad.
The html that was getting added to my site include blockquote and iframe tags with the following contents: src="http://wsx3host.net/count.php?o=2" style="" marginheight="0" marginwidth="0" scrolling="no" frameborder="0" height="0" width="0"
src="http://msn-analytics.net/count.php?o=2" style="" marginheight="0" marginwidth="0" scrolling="no" frameborder="0" height="0" width="0"
or this:
src="http://wsx3host.net/count.php?o=2" style="" marginheight="0" marginwidth="0" scrolling="no" frameborder="0" height="0" width="0"
src="http://msn-analytics.net/count.php?o=2" style="" marginheight="0" marginwidth="0" scrolling="no" frameborder="0" height="0" width="0"
To fix it every time, I would log into my Linux host account shell and run scripts like this:
find /home/jconstru/public_html/ -type f | egrep '\.php$|\.phtml$|\.htm$|\.html$' | xargs perl -pi -e 's/the offending code
Then I would check there were no more files infected using this command:
find /home/jconstru/public_html/ -type f | egrep '\.php$|\.phtml$|\.htm$|\.html$' | xargs grep -lir "wsx3host" *
When I finally got sick of cleaning up the infection, and I realized I wasn't going to stop being infected, I went hunting for my vulnerability. What I finally found was a php script I had written to display a plain text file, converting its carriage returns to html breaks.
No comments:
Post a Comment