On 6 April 2008, this site, when it was on another hosting service, was attacked and an <iFrame tag appended to every php and html file on the site. The <iFrame tag pointed back to the following domains:
cdpuvbhfzz(dot)com
ccfelomvhk(dot)com
The attack was apparently perpetrated because two php.ini parameters were left that allow exploits:
allow_url_fopen = on
register_globals = on
These settings have now been changed to OFF.
The attack also placed php code in a jpg file and a few of the changes were set to check to see if the tags were removed and if so, caused this code to be executed to reinfect the site. The permissions of all html and php files may also have been changed to 777 from the normal 644.
This attack might never have been noticed, except that WordPress and Calendar showed the effects. WordPress crashed and Calendar showed an error message at the top of the page. The other subsystems, Coppermine and SMF, showed only very small frames, 1 pixel square, at the bottom of the page.
The databases of my site were apparently not modified.
Total time to backup, diagnose and reload the site so far as been about 12 hours.
Much of the work was manual using FileZilla, directory by directory to set permissions and to upload the php and html files. If this happens again, tools will be found or built to fix the site more efficiently.
Here is an archive of the nasty bits that were used to infect my site. These do not include the code that used the exploit. This has been posted in the hope that it will help those who want to help stop these attacks.
A search of the web indicates that these attacks have been going on since March 2008 and that they are some sort of phishing expedition, although no specific information was included in the posts found, about how someone might have used this code to do anything useful or criminal, outside of destroying a site when the subsystem is not tolerant of the changes.
It would be interesting to see the authorities track down the perpetrators and shutdown these domains. As of this moment, 19 April 2008, these domains are still active.
– Windy
Windy Weather 