Recently a client reported the heder.php exploit had infected their website. They needed help with the cleanup, so we got them back online, but they had questions like, “How did these files get onto my site?”
First understand that heder.php is just one type of site trojan. There are many flavors of this type of site exploit and they have some things in common, so it might be worth a blog post to cover them.
These kinds of exploits compromise your hosting account. Then they install malicious code into your html pages. They also add some entries to your htaccess file to redirect incoming traffic to the payload. Usually the payload is a version of the same exploit so the code can spread to the next victim.
So now we know how you get it… Basically, this exploit is usually dropped onto your machine when you visit an infected website. It will overwrite a Microsoft ActiveX file on your machine — which is how it hides from your antivirus. (Yes as usual it’s a Micro$oft exploit).
So what does it do?
In the background it scans for usernames and passwords. If it finds them it steals then and uploads them to the hackers. If it finds FTP credentials it uses those to upload itself to your websites and inject some code into your home page and write some backdoor ssh access files into your server space. This is how it spreads – once it is on your website, anyone who lands on it gets the new code and the process starts attacking their machine.
I have anti-virus software so I’m safe right?
Nyet! Most Antivirus software cannot find it because it is more like spyware. Also it hits your machine via php and javascript code and those are functions your web browser uses all the time — so a firewall is useless to prevent this. Since it hacks an activex helper it hides really well from scanners.
Okay so why do people do this crap? Why me? What do they get out of it?
The hackers make money by retrieving your other credentials (usernames and passwords to banking sites, credit cards etc…) as well as personal info (your SSN, address, phone numbers, etc) and then it uploads them to a public board in encrypted form that only the original programmers have the decrypt key to. So all your data is uploaded to a public forum and the hackers pull these files daily and decrypt them. Then they:
- Sell your email address to spammers
- Sell your personal info to identity thieves
- Sell your credit card details to fraudsters
- Share your exploited ftp details with partners who now have write-privilege to install other payloads to your website…
- Then they post teaser code to boards to help other hackers develop better code.
As a webmaster you should always keep a close eye on your security — particularly ftp credentials. FileZilla is one popular ftp client that is taking a big hit because it stores your credentials in unencrypted format. So if you manage 10 websites for clients and use FileZilla for FTP – you could be at real risk. FilaZilla is an excellent Windows FTP client, but please do not store your passwords in it. (Uncheck the “Save Password” box in the FTP profiles and keep a separate encrypted list of site credentials.)
Hope this helps…
