jamesdowallen

New Member
I just discovered that my own website was infested with a malware, though I'd received no complaints. That's why I joined this forum just now: I wonder what this malware is.
The hacking is complex enough to make me think it was done manually, not by any bot.

The home page had been changed from 'htm' to 'phtml' with an include line added at the beginning. The include pointed to a file I've left intact for your inspection:
fabpedigree.com/scott/spinner.gif
Despite the '.gif', this is a php script, not a gif. What does the script do?

Please feel free to send answers to my personal Gmail account, same as my name:

jamesdowallen
 

jamesdowallen

New Member
My hosting service (Lunarpages) is sending me helpful email. They recommend I download a malware scanner from https://housecall.trendmicro.com/
Yet when I click on that URL, Firefox says "Warning: Potential Security Risk Ahead ... Firefox does not trust this site because it uses a certificate that is not valid for housecall.trendmicro.com. The certificate is only valid for the following names: a248.e.akamai.net, *.akamaihd.net, *.akamaized-staging.net, *.akamaihd-staging.net, *.akamaized.net"

Probably no problem, but it seems odd a company specializing in security would have this flaw. So I've not gone to that page yet.

What is frightening about this hack is that it really looks like the hack was done manually. Did someone use a sniffer to get my password? What is their purpose? It would be really nice to get a report on what that malware file (scott/spinner.gif) is doing.
 

jamesdowallen

New Member
UPDATE: My host admin pointed me to another malware file. I logged in to look around ... and immediately found that the index.phtm hijack had been reinstalled just a few hours ago! Still pointing to scott/spinner.gif. So I've removed that file. (Email me at Gmail to see its contents.)

The two different malware php scripts were different, but Googling their encrypted code led me to some answers. Below see the strings I searched for and some of the Google hits.

CQ9jnUNtDTIlpz9lK3WypT9lqTyhMluSK0IFHx9FXGgNnJ5cK3AyqPtaMTympTkurI9ypaWipaZaYPqCMzLaXGgN
Japanese Backdoor WordPress Hack | Astra Website Security

basename(trim(preg_replace(rawurldecode("%2F%5C%28.%2A%24%2F")

How do they get in? Just now I used another machine to change my passwords ...