Strange Brouhaha

Thursday, March 01, 2007


A website that I designed for my father-in-law got hacked. Oops. It's now blacklisted by Google until it goes through a review process at (To clarify: the site that you are reading now is not the hacked site!)

It would appear that it was vulnerable to an exploit in cPanel, as detailed in this report at Heise. The host for the site is not HostGator, but the problem is the same.

The attack was actually pretty nasty; here's the CIAC bulletin that details what was going on. It installs a rootkit. Ick.

Among other things, this points out the necessity of keeping your browser and OS up-to-date with security patches. This particular attack exploits a vulnerability in Windows and the Microsoft Data Access Components, and I've got another CIAC bulletin on MDAC hole.

Again: keep that OS patched, folks! Go to Windows Update and make sure you're up-to-date.

The injected code was obfuscated Javascript. If you ever see obfuscated or escaped Javascript, you can go to scriptasylum to decode it.

Update: The original version of this post was incomplete. Here's more...

What I ended up doing was strengthening the password on the account and turning off the cgi-bin directory--it was never used anyway. Not much else I can do, other than get the web host to update the version of cPanel that we get.

I'm torn about this.

On the one hand, I'm glad for the warning that I got from Google. I would have caught the problem eventually, but "eventually" means "a few months from now."

On the other hand, the website is now blacklisted until the folks at stopbadware get around to processing my request for review. That means that anyone who searches for that particular website on Google will get a warning. It would have been nice to have had a 24-hour grace period.


Post a Comment

<< Home