Software follows a life cycle on a computer, which begins with installation and ends in uninstallation. Uninstallation may happen for various reasons, new version of the software, free disk space for other things. Removing software should be less painful than installation. Software that is difficult to remove is evil. Viruses and spyware/malware typically make the removal process as painful as possible. Oddly enough Symantec does the same thing with their consumer grade “Security Software”.
While working on a computer for a neighbor, I came across a few tool bars and other general junk installed on the computer. Even though tool bars usually are not spyware, there is no reason to have the Google, Yahoo, and ask tool bars installed plus a few others. The uninstallers were one or two click installers, pretty standard stuff. Then came the odd software. No one knew what it was, but it was sitting on the installed applications list. Before uninstalling, the user was prompted to fill out a captcha to prove that they were not a computer. After filling it out the uninstall process proceeded as usual. A second software package had the same sort of thing, but it was a tad more sophisticated. It had animated noise bars. Either way, why are these software writers afraid of automated removal of their software? It is pretty obvious, they wrote malware.
What did it do? Well, the obvious thing was auto spawning and eating up 50% of the CPU resources (the system has a Pentium D 820 processor). It disguised itself as Internet Explorer (Why anyone still uses IE is beyond comprehension). Additionally it would cause periodic pop ups and a odd message alert prompt stating “Windows Explorer” when entering Control Panel.
Seems that the events of early last month did not stop. More and more WordPress users are having issues with malicious iframes being inserted into their blogs. Until now, there were no automated detection and removal tools. Iframe-B-Gone, it’s quick, it’s dirty, but it should do the trick. I’ll get a build up sometime this upcoming weekend, after Beta 3 of Breadcrumb NavXT.
What to expect from Iframe-B-Gone:
Scanning of the wp-posts and other WordPress database tables for Iframes.
Notification of locations and option to not delete selected “results”.
Note that fixing hacked themes is beyond the scope of this plug-in, for that manual searching and removal is necessary, and those familiar with a the terminal shouldn’t have a difficult time figuring out the quick way of searching for stings in files contained within a folder.
The patient is recovering from the operation and doing well, we’re surprised is held up to that attack. The bullets were removed, and the surgeon decided to do a little liposuction while he was operating. Now that the patent is all sewn up, it’s time to step back and look at what happened.
The Weblogs.us server suffered a massive attack sometime between the 26th of October and the first week of November. Many blogs hosted by Weblogs.us were affected by the attack, which involved SQL injection as mentioned in the previous post. This attack was a spam sort of attack, not a delete/drop tables attack. Though the damage was extensive, not every blog was affected. Additionally, the attack was not limited to the WordPress blogs hosted by Weblogs.us, some of the old Moveable type blogs were affected as well. This means some some passwords were compromised, due to this global password changes may be coming later this week. JD, when looking at the extent of the damage was surprised the database server survived the attack (it was that bad, and that many malicious entries).
What the attack did was enter iframes to googlerank.info/counter which used the css value display:none; to hide them. These appeared at the bottom of every page, and were also cleverly added to some blogroll links by adding a fake and hidden <a href after itself to keep the HTML valid. Googlerank.info is a know mailware site, that preys on users of Internet Explorer. Since Firefox and other modern browsers are not affected by this site, the Russian owners started showing them a fake 404 page that they ripped from Google. Hopefully, the owners of that site will meet an untimely death.
But, the storm is not over yet, someone with malicious intents has been searching Google with the query:
intext:”leave a reply” intext:”Mail (will not be published) (required)” intext:”Responses to” site:us
This is a quick and dirty way to harvest many sites that run WordPress. I have little doubt that the intents of the individual that submitted that query are malicious (either intent to spam or hack). Thus that IP address will be blocked in the Weblogs.us firewall indefinitely.
Someone, via a SQL injection, infected this blog with an iframe linking http://googlerank.info/counter on every one of the pages. The location was at the very bottom of the post, and thanks to a tip from a visitor this was discovered last Sunday. Additionally, an iframe was located in the link to A List Apart. These were all removed on Sunday as the investigation began. The fool that placed the code even placed it on drafts and protected pages, which is a clear sign of a SQL injection by a script (kiddy).
The logs are being checked, passwords changed, and software updated. Additionally, a nice CSS entry will now highlight any iframes on this page for anyone that isn’t using IE6 (IE7 should work). If you see a big red box with dashed black border on this site, let me know, as that is an iframe and should not be there. The kiddy will be caught and I’ll make sure his life is ruined.