Wednesday, August 6, 2008

How to fix or iframe infections

A lot of popular scripts developed for PHP 4 are currently being hacked through a tmp directory exploit. This is affecting web masters all over the place, so we've decided to do something about it, and write this little blog post in case it helps somebody.

If you see HTML code resembling iframe src="" being inserted into certain files on your web hosting account, you know that you are infected. I decided not to water that "infected" down to "affected" because loading a malicious 3rd-party file into your own web page is pretty serious business. Enough sobering up, let's get this solved!

Floogy Host clients, just ask us to sort it out for you. Everyone else, just follow along below:

1. SSH (or Telnet) into your web hosting account. If you don't know how, or can't connect for some reason, email the web address of this article to your server administrator, close this page, and get yourself a coffee.

2. You're in? Okay, just paste the below one-liner (right-click to paste if you're using the PuTTY SSH client on Windows) and hit Enter to sniff out files which may be infected:
grep -lir "pinoc" *
3. If no file names show, you are safe; go in peace. Else, head to the top-level infected directory, and then paste this perl one-liner after replacing "/path/to/start/from" with the path to your top-level infected directory. If you have any problems, be sure to make it a one-liner before pasting. Run step 2 again and you should see no file names show up.

Good deed ticked off, now I deserve my grilled cheese sandwich! Yes, linking to is the flavour of the week. I really don't see myself using it much, not while I'm this accustomed to Google's keyword-based search. But, it's pretty nifty for topic-based search.