Recently a client reported the heder.php exploit had infected their website. They needed help with the cleanup, so we got them back online, but they had questions like, “How did these files get onto my site?”

First understand that heder.php is just one type of site trojan. There are many flavors of this type of site exploit and they have some things in common, so it might be worth a blog post to cover them.

These kinds of exploits compromise your hosting account. Then they install malicious code into your html pages. They also add some entries to your htaccess file to redirect incoming traffic to the payload. Usually the payload is a version of the same exploit so the code can spread to the next victim.

So now we know how you get it… Basically, this exploit is usually dropped onto your machine when you visit an infected website. It will overwrite a Microsoft ActiveX file on your machine — which is how it hides from your antivirus. (Yes as usual it’s a Micro$oft exploit).

So what does it do?

In the background it scans for usernames and passwords. If it finds them it steals then and uploads them to the hackers. If it finds FTP credentials it uses those to upload itself to your websites and inject some code into your home page and write some backdoor ssh access files into your server space.  This is how it spreads – once it is on your website, anyone who lands on it gets the new code and the process starts attacking their machine.

I have anti-virus software so I’m safe right?

Nyet! Most Antivirus software cannot find it because it is more like spyware. Also it hits your machine via php and javascript code and those are functions your web browser uses all the time — so a firewall is useless to prevent this. Since it hacks an activex helper it hides really well from scanners.

Okay so why do people do this crap? Why me? What do they get out of it?

The hackers make money by retrieving your other credentials (usernames and passwords to banking sites, credit cards etc…) as well as personal info (your SSN, address, phone numbers, etc) and then it uploads them to a public board in encrypted form that only the original programmers have the decrypt key to. So all your data is uploaded to a public forum and the hackers pull these files daily and decrypt them. Then they:

• Sell your email address to spammers
• Sell your personal info to identity thieves
• Sell your credit card details to fraudsters
• Share your exploited ftp details with partners who now have write-privilege to install other payloads to your website…
• Then they post teaser code to boards to help other hackers develop better code.

As a webmaster you should always keep a close eye on your security — particularly ftp credentials. FileZilla is one popular ftp client that is taking a big hit because it stores your credentials in unencrypted format. So if you manage 10 websites for clients and use FileZilla for FTP – you could be at real risk. FilaZilla is an excellent Windows FTP client, but please do not store your passwords in it. (Uncheck the “Save Password” box in the FTP profiles and keep a separate encrypted list of site credentials.)

Hope this helps…

A client recently reported some strange entries in their website statistics referrer logs. The entry was from a bot probe by a nasty outfit that is up to all sorts of evil malware stuff. The issue did raise a good questions about the security of sites and what even novice webmasters can and should do to protect themselves from site compromise.

Bot probes from a slimy outfits are common. Properly secured systems will block offending IPs but the attacking bots switch IPs all the time. This form of vulnerability probe or referrer spam is very common — just like email spam. We do everything we can to prevent it but that does not stop the evil bastards from trying… all the time.

This is why it is so important to have a strong password and to change it every few months. You should also look around in your site file structure frequently for things that don’t belong — like .c files or .exe files or even php files that you did not install. I recommend you check your site once a week for this kind of activity.

Remember, no matter how secure our servers are, your website is an open door to the world and malware developers have a powerful monetary interest in gaining control of your server resources to make money. The days of malicious teenagers gleefully scrambling your home page and laughing through a mouth full of hot pockets is long gone. Hacking websites to install malware is serious (and big) business.

So it’s also up to you as a webmaster to make sure you don’t let these demons in the door.

By the way. Take care which backlinks you click on while scanning your stats reports. That is one way referrer spam works. The malware developer creates an attack routine and embeds it in a web page. Then they deploy botnets to spider websites constantly — leaving nice little fake ‘visitor’ entries in the log files and stats. Then if you click on the link to see who visited you the malware site hits your machine with a payload. Even though you may have a great antivirus / antimalware program, pages can be constructed in ways to overwhelm your computers resources and tie up your system as the payload is being installed.

It’s a jungle. And your website is part of the food chain.

As always we’re, At Your Servers

Dwayne