[Novalug] php vulnerability is affecting my web pages at remote host

John Warren jpwarren00@gmail.com
Tue May 15 09:55:01 EDT 2012


I've found malware scripts are often double hex encoded, you might want to
try that tact to decode what it is doing.

On Mon, May 14, 2012 at 4:54 PM, Bonnie Dalzell <bdalzell@qis.net> wrote:

>
>
> i got a message from the IHP i use
>
> <quote>
>
> There has been a zero day security vulnerability  announced when running
> php as cgi.   It appears
> that this is an issue in most versions of PHP.
>
> Here is the announcement from php.net
>
> http://www.php.net/archive/2012.php#id2012-05-03-1
>
> We are patching all shared hosting servers.   All dedicated servers should
> also be patched if
> they run php as cgi.
>
> </quote>
>
> this is a real message not some sort of spam or phising thing. i checked
> with them by phone
>
>
> although almost all of my sites use plain vanilla html each index.html
> page has had a malware script inserted just after the <body> tag
>
> the malware script has a big chunk of what looks like machine code in it.
>
> i can send a copy as a tar.bz file to anyone with an especial interest in
> this problem. so far we have not seen the malware script in a web page
> do anything to a linux or mac machine but I send a copy to a friend
> of mine who does some security work for the DOD and it was sent as a
> tar.bz file. when he unpaced it from a windows machine and looked at it
> in notepad things seemed ok but when he tried to delete the file he told
> me that Micro$oft  word attempted to open and execute the file.
>
> when I visited the infected webpages with safari from a mac or firefox
> from linux I did not get any sort of warning that there was malware but a
> friend using windows had the browser report that the page should not
> be opened.
>
> last night I took the infected index.html files for my 23 sites and using
> gedit deleted the malware script and uploaded clean copies of
> the various index.html files but by 6AM this morning they had been
> reinfected according to the time stamps for the last change. I have
> reupoaded clean versions again a couple of hours ago. need to check for
> re-infection.
>
> i am going to delete the dokuwiki blogs from the remote site
>
>
> in some cases the remote file persmissions and file date were changed on
> the pages (permissions to things like rw-rw-rw or rwxrwxrwx. in other
> cases no change in file permissions  and the time stamps were very old
>
> all the sites with index.html pages were infected but not the
> sites with index.shtml pages
>
> in addition the two sites with installations of the docuwiki blog
> software installed had the index.php infected.
>
> comments, etc
>
> anyone else having problems with their websites or sites they visit?
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>                        Bonnie Dalzell, MA
> mail:PO box 9767 Baldwin, MD, USA 21013  |  EMAIL:bdalzell@qis.net
> shipping adddress:5100 Hydes Rd 21082 (Hydes Post Office closed Jan 2012)
> Freelance anatomist, vertebrate paleontologist, writer, illustrator, dog
> breeder, computer nerd & iconoclast... Borzoi info at www.borzois.com.
> HOME www.batw.net    ART bdalzellart.batw.net  BUSINESS
> www.boardingatwedge.com
>
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/mailman/listinfo/novalug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.firemountain.net/pipermail/novalug/attachments/20120515/062038b1/attachment.htm>


More information about the Novalug mailing list