The most visible sign of the hack is a line of code similar to this
< img heigth="1" width="1" border="0" src=" http://imgbbb.net /t.php?id=14438168 " >
appears somewhere, usually after the </html> tag in one or more html or php file(s) your the site. More recently the <img tag has started to show up at the very beginning of the file, before the doctype declaration. I have also started to see this
< img heigth="1" width="1" border="0" src=" http://imgbbb.net/t.php?id=12580911 " >
< img heigth="1" width="1" border="0" src=" http://imgbbb.net/t.php?id=12581106 " >
two or more img tags with different values in the ?id= again right after the </html> tag.
Update 06/22/2011: In the last couple of sites I have looked at the <img tag was inserted at random locations in the file.
On most sites I have looked at the tags have only been on the homepage, but you should check all of your pages for the malicious links. The post Using Xenu Link Sleuth TM to find malicious code on your site covers how to use the tool to find pages on your site that contain the malicious links.
The hackers have been using a number of different domains such as imgaaa.net, imgbbb.net, imgccc.net, imgddd.net, myteenmovies.net, adam-love.net, and curem.net. The numbers in id=has varied from site to site but so far all have had the filename t.php with the parameter ?id=*********, /t.php?id=15090691
If you are having trouble spotting the code in your page try this tool File Viewer to request the page. The tool will display the code returned by your server for a request for your page with some highlighting that will hopefully make it easier for you to spot the code. I just looked at a Joomla site and the code
< img heigth="1" width="1" border="0" src=" http://imgbbb.net/t.php?id=12384646 " >
was stuck in the middle of the page.
Usually (not always) with the imgaaa. net (imgccc. net, imgddd. net) hack the hackers also place a backdoor on the site to provide the ability to hack the site again.
If you are running on an Apache web server start by checking your .htaccess file for some code similar to this
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /dd.php?q=$1 [L]
Where dd.php is a two digit file name, I have seen 31.php, 34.php, 37.php, 54.php and so on. While the dd.php is most common you may see just about any filename, I have also seen mirror.php log.php and a few others. On sites that already have a .htaccess file the hackers may not use the .htaccess part. In some of the latest Wordpress sites I have looked at the hackers have been adding an additional .htaccess file in the /wp-admin/ directory. Typically Wordpress sites will already have the default WP .htaccess file but you should check the file just to be sure.
The backdoor file will contain some obfuscated php code that starts out
eval(gzuncompress(base64_decode(' then a long string of characters. In some of the sites the code has looked like this
<?
eval(gzuncompress(base64_decode('eNqdWNtuGkkQ/ZmVSKRVBINtZbTiAR4YdpSwMqvMbbWy5mKMzAyLgj.....')));
?>
?>
eval(gzuncompress(base64_decode('eNptWWuTokgW/SvzoSN6JmpjBlC7NSbqg29BpPCBIBsbEwJ ......')));
?>
<?
eval(gzuncompress(base64_decode('eNqVXP9THbcR/xlm+B/OLnW4AM+n1ffCc5qmJJMZJ5k6SX/BL2+oj.....')));
?>
3 blocks of code that start out eval(gzuncompress(base64_decode(' and then really long strings of characters (I only copied the first part of the strings above, The full code can be seen here).
There is a simple script, Find base64_decode in your files linked under Malware helpful links which you can install and it may assist in finding the base64 strings
If the hackers have added a .htaccess file you need to remove the code from the .htaccess file first. Make sure you note the file name listed in
RewriteRule ^(.*)$ /dd.php?q=$1 [L],
or
RewriteRule ^(.*)$ /wp-admin/digitdigit.php?q=$1 [L],
or
RewriteRule ^(.*)$ /wp-admin/digitdigit.php?q=$1 [L],
on a recent site I was working with the site owner deleted the .htaccess and then could not remmember the file name. Needless to say they had a long hunt to find the malicious php file. Once you have cleared the .htaccess file you can go back and delete the malicious ??. php file.
Next check your folders/directories for sub-folder/sub-directories named .log or .logs. These are folder names that the hackers have been using but the names on your site could be about anything. Starting a folder/filename with a . will hide the file from some/most FTP programs so make sure your FTP program is set to show hidden or system files. Another thing to check for is any folders/directories on your site that the permissions have been set to 777.
Inside the .log or .logs folder there is normally another folder with the domain of your site as the name of the folder, then the malicious files are in that folder. You will need to delete all bogus files from that folder.
Once the site is secure and clean you need to submit a request for review in you Google WMT account to have the warning removed. If you have not verified ownership of the site you will have to do so first. The following reference explains the procedure.
Google FAQ: Malware and hacked sites
Once you have the hack all cleaned up hopefully you are done but unfortunately I have seen a number of sites get the hack cleaned up and have the malware warning removed only to be slapped with a this site may be compromised warning. One of the things this hack does is create 100s, sometimes 1000s of bogus pages on the site. If Google indexes these bogus pages they will flag the site with the this site may be compromised warning.
You should monitor search results over the next few weeks checking for any bogus pages showing up in the results. Hopefully you can get any cleaned up before Google labels your site this site may be compromised.
Any feedback on what you found (or did not find) on your site would be greatly appreciated by all!
Good Luck
