Main All Wiki Pages Home

FirstAttack

Note: same as First Attack, but in creole wiki format.

March 13 2010 - BBDotCom gets hacked !

Somebody managed to install a malware script in my html directory. called "lux.php". Apparently, it was part of some scam to download and install malware from servers in India. Note that these sites are probably hacked too: if they were "the bad guys", the trace wouldn't have been to identify them so easily, same as me.

The malware is called Fake Vimes. It claims to have found a virus on your computer and then ask you for money to get rid of the non-existent virus. See the Microsoft article on Trojan/Win32/FakeVimes. I'm using a Linux client so it hasn't effected me, although the Fake Vimes program claimed to have found a Windows virus on my Linux system ! However, any Windows user might be vulnerable to the scam.

The malware script always resides in the html directory. It appears to have a unique name for each infected site, but the name usually follows a pattern of xxx.php, where xxx is a sequence of three lower case letters. I found one called "marker.php".

My stats say the file had 58 hits between March 10th and March 13rd about noon GMT, with a suspiciously large surge of demand coming from Canada ( Viagra country ! ). I've deleted several suspect CMSs that may have been allowing scripts to execute but I am not at all certain I've locked the door ... it may happen again.

The most amazing thing is that their whole operation ( breaking into my server and inserting the fake page lux.php, setting up servers for the Fake Vimes virus detection scamware, extracting money from Windows users under false pretenses ) is probably legal under current laws, at least in the United States. As the world now knows, most financial scams are legal in the USA and no one in Washington seems to be in a hurry to close the gaping holes in our legal system - our politicians probably regard them as "entrepreneurs". I just wish I could send the "entrepreneurs" an invoice for the time I've spent cleaning up after them.

Needless to say I am grief-stricken about the whole thing.

Regrets, bb@billbreitmayer.com

Note March 14th: It doesn't look as if anyone browsing my content was attacked. Apparently the lux.php script was a 'way station' for requests to other servers. I'm still getting hundreds of unidentified requests per day for lux.php ( 404s needless to say ), but none of the requests are from my content, at least not so far. Keeping my fingers crossed ...


Welcome New Ruleforge Site Business Rules Technology InterWiki Old Tutorial

Appropriate Footer Stuff