Well, I found out why my blog had an infection. The good news is I found a fix. The bad news is it affected everything on my site.
Basically it seems someone found an exploit for Dreamhost that installed a small IFRAME script on any page that starts with “index.” This IFRAME redirects the user to a site (odmarco.com) and attempts to install spyware by exploiting Adobe Acrobat.
Because there’s just a crazy amount of stuff on my site, doing this manually would be a pain. Fortunately, I found a script that fixes this for me.
I use DreamHost for quite some sites, both my own and of friends. Recently I got informed that one of my sites was triggering a warning in anti-virus software and when I went to investigate, it turned out quite a few sites got hit by an annoying script that inserts a hidden iframe. Removing all those by hand would be an annoying job, so I decided to automate it. Given that I don’t know much shell scripting but have a firm knowledge of PHP, I decided to give that a go.
First of all, let’s look at the hack. At this point I am unsure what exactly caused so many of my files to contain the odmarco string. It looks like quite some people on DreamHost got hit by this problem, so I am guessing a vulnerable script on one of their servers caused this. Now, I should blame myself as well, because apparently I didn’t take notice to a lot of files in my websites being writable by the server. It’s no excuse, but a lot of the sites that I have are very old sites, where I definitely didn’t pay as much attention to such details as I do now.
Anyway, from a comment on siteadvisor I learned that the script called in the iframe is trying to abuse an exploit in Adobe Acrobat. Though I hate all stuff like this, I hate exploits more than mere referrer spam injection, so I felt I needed to take care of this quickly, even if a lot of the sites are hardly maintained anymore. So I sat down to hack up a little PHP script that would remove the offending string. Why PHP? Simple, it’s the only language I know good enough to hack something like this up in a short time.
After some hacking around I came up with this script. It’s not perfect, but it does the job and it does it well, so I’m happy. Anyone interested, feel free to use this script to clear up the mess in your site. It’s meant to be run from the command line, inside the directory that you want to (recursively) clean. What I did was put it in the homedir on DreamHost, and then go into a directory that needed cleaning and issue the command:
/usr/local/php5/bin/php ../clear_odmarco.php
As you notice, at DreamHost you need to explicitly specify the php5 path because for some reason, the “php” command still defaults to php4. Then I put in a relative path to the clear_odmarco.php file (you could put the full path if you want).
If you have anything hosted on my site with your own user account, you should run this script.
~Jaker
