BEGIN Update (3/2/10)
Thanks to Frank Farmer we have found that this seems to be a MediaTemple + WordPress problem. Try the following.
1) Get this: Firefox User Agent Switcher
2) Select: Yahoo Slurp
3) Visit: http://clintoon.com/zguda.php?p=hawaii-beach-report – I don’t know who’s site this is, I am just using it as an example so be kind to whoever this is.
So what you see here is a link-farm of affected sites. I been chasing this all morning. If you have MediaTemple and WordPress, check your site for malicious code now!! I have to get back to doing some real work now. If someone has the time, please help notify the domain owners that their site has been compromised.
The farm is
endless pretty big. Sometimes it gets circular, but trust me, it’s endless it’s big. You just have to keep going down further.
I run a lot of WordPress installations because it is easy to install and a lot of people are familiar with the platform. However, in the last month, one of my WordPress site has been hacked twice by the same people using an attack vector I still do not know yet.
The first attack wrote some redirection code to the wp-blog-header.php file:
Notice how it points you to inii.info — Anyways I deleted this code and a couple of weeks later the blog was hacked again.
This time they wrote a file named “…” (three dots) to my /etc directory and included the file through index.php. It’s a hidden system file: Link.
This one was a bit more interesting. Notice how the file was base64 encoded. I had to decode it 5 times before the actual code revealed itself.
Again, this was telling the blog to redirect itself to inii.info — Interestingly, it only targeted search engine bots. So here are my conclusions:
1) This is probably a WordPress vulnerability that has not been discovered yet since it only targets my WordPress files.
2) This is probably just a spam/link-farming operation because it just redirects search engine traffic to a link-farm page
3) The website I am running is on some sort of list that gets pinged once in a while to make sure the hack is still in place.
4) Although the attacker has access to my system files, ie they were able to write new files to my system, it does not look like they have done anything else.
Surprisingly one of the most useful tool that aided me in finding these code injection is Git. Git allowed me to find changes to my files that I had not made. So it’s one cool side effect of using Git that I am grateful for.