«
»

Our little chinese friend…

As you may have seen, in the last couple of days this blog was inactive, or under movement… All this happened due to a possible attack on my last hosting provider. And I said possible because I imagined multiple scenarios in which it could have happened.

You’re not my friend!

At first, when I saw maliciously injected iframes in the my websites I thought it may have been a targeted attack. Some reasons why I supposed this was due to the reason that other websites found on the same IP weren’t affected, or at least that was the way it looked at first. This wouldn’t have been so weird because I (and my coworker) manage these websites, and he stores the passwords in the ftp clients he uses, having no antivirus (that had to be mentioned).

After more lurking on more websites that have been on the same IP address I’ve came across other infected ones… So my first theory was dismissed, along with the pleasure that I would had if blamed my college.

WordPress, is that you?

The second thing I suspected was some wordpress plugin, because almost all those that were infected had wordpress on them (even those that didn’t belong to us), so maybe there was some piece of PHP code in some pluggin that could have started the whole infection…

Downloaded a sample installation from the server and started greping it, first thing that poped up was that pluggable.php was also infected (forgot to mention, but the iframes where attached in index.php and index.html files)… but nothing else, so I came to my third and final scenario.

It’s your fault!

Given the above scenarios have been ravished my last tough was a server exploitation. So I submitted a ticked demanding some information giving this issue, which came with some poor response (and the reason I switched the hoster):



No hard feelings, I always accept suggestions, but we where not talking only about my account (I mentioned others where affected as well), so I requested a grep on the websites; maybe they could have found if it were a local attack… but I was disappointed again:



No, thank you, and kudos for the Chinese guy who did this… Later on I found out that mass injection compromised more than twenty-thousand web sites and suspect that my former hoster may have been also under that attack.

Posted in News
Tags:

Leave a Reply