Hacked! but getting better

I’ve been flagged as a Malware site, this is quite distressing but the hack has been found and killed and I’m just waiting for a review to remove the flag. In the meantime, for anybody interested, here’s what I found and how I fixed it.

The first step was to examine the google malware diagnostic page:

Google Malware Diagnostic for webdeveloper2.com

the pertinent bit here is the line:

Malicious software is hosted on 1 domain(s), including crocro.biz/.

I used Firebug to examine the DOM for my loaded page and sure enough there was a script tag pointing to a file hosted on the crocro.biz domain followed by a hidden iframe element which had been generated by the script. I’d found the results of the hack, now I needed to find the root of the problem.

Thankfully a quick bit of Googling landed me at the Unmask Parasites Blog where the post, Pqshow .org Scripts – New Plague On MediaTemple Sites, explained what to look for and how to help protect against further attacks.

The hack inserts some script into an existing javascript file. Unfortunately I had no idea which one. I found this handy plugin: Exploit Scanner, which checks all of your site files for potential hacks, It doesn’t fix anything but can narrow down the number of places to look. This still left me with nearly 100 files to check so I went with a hunch.

Unmask Parasites stated that the malicious code starts with:-

var st1 = 0;document.write(...

- so I figured that if the script was injected with document.write then the mostly likely infected script would be the one which appeared immediately before the offending script tag in the DOM.

Sure enough when I checked that script (added by a wordpress plugin which I won’t reveal as it had nothing to do with the plugin itself) the malicious script had been added right at the start of the file. I trimmed the offending code out of the script and loaded a previously infected page to check the DOM. Sure enough the malware was dead but there was still a couple of things left to do.