How can you check this?
The virus attacks following files on your server:
At the end of these files it will insert the following code:
height=0 frameborder=0 display:none onLoad="status=defaultStatus;"></iframe>');</script>
Update: if you use WordPress read how to check WordPress sites.
What it does?
I can only guess. The code is calling a script on online-channels.info site. It can be sending traffic information. Maybe it is a first case of Internet marketing espionage? Or it can be trying to run some malicious code.
How did it come here?
It can be a security flaw on my hosting server. It can be a security flaw of the WordPress which is the main script I run on my server.
Whatever way it came, it executed code that scanned through all the files on my server that match the given names and added that code at the end.
All created files carry the time stamp 29-06-2008 04:59 which is the time when the attack occurred.
How did I discover it?
By accident. I was looking at the HTTP requests on my site using Firebug. I noticed few 404 Object not found errors. Normally I keep my blog in good shape and these things should not happen.
I then suspected that some of the plugins I use reference this site. After inspection I could find the script inserted to a number of plugins.
I have then checked my theme - it was there too in the index, header and footer. I then checked the whole WordPress installation - the script was there.
Finally I discovered it was spread out on my whole server.
The lucky thing is the attacker's site broke down so I could find an anomaly with that 404 error.
Who is behind it?
I am still not sure. Here is the domain registration record for online-channels.info
Created On:29-Feb-2008 23:08:51 UTC
Last Updated On:22-Jun-2008 11:24:52 UTC
Expiration Date:28-Feb-2009 23:08:51 UTC
Sponsoring Registrar:Blog.com Digital Communications Inc. (R315-LRMS)
Registrant Name:Domain Admin
Registrant Street1:P.O. Box 97
Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Registrant Postal Code:5066 ZH
The site is registered somewhere in Denmark under an anonymous name. Blog.com is mentioned as Sponsoring Registrar.
The server IP is 18.104.22.168 and is located in Ukraine.
Trace route finishes before getting to the site:
11 86 ms 83 ms 83 ms tr1-v23.de-fra.datagroup.ua [22.214.171.124]
12 114 ms 107 ms 107 ms tr1-v454.ua-kiev.datagroup.ua [126.96.36.199]
13 691 ms 611 ms 131 ms cat65-ge1-2-datagroup.hosting.ua [188.8.131.52]
14 * * * Request timed out.
What can I do?
You should check the files on your server for the code. Check index.php and index.html first as they are most likely to have been infected.
Warn your friends about it.
- How to remove the pesky JS injection virus from your WordPress blog
- Check your WordPress site for viruses and malware
Posted in: WordPress
TAGS:check attack sites, check virus plugin, check viruses, check website virus, checking virus, heder php virus, how check virus, how virus check website, how virus come websites, how wesite viruses attack, search websites malicious script, virues websites, virus attack website, virus websites, web virus, website virus test