For one reason or another some silly thing known as “step57.info” managed to find its way into my PHP and HTML files. And judging from the information I found from Google, it is supposed to be a worm, a trojan horse, or something along that line. I discovered this silly thing when I was starting up my Internet Explorer, which my starting page is my own site kubicwave.com and I noticed that in the status bar I see some strange behaviour which saw my IE trying to communicate with the page at step57.info. Thinking that it was some spyware acting up, I did some spyware scans but no result regarding that turned out, so I went to Google and try to search for information pertaining to this, and what I got was something that was scary. Anyway I’ve put in some links of the pages that I saw with information about this nasty thing:
http://wordpress.org/support/topic/62767
http://updates.wp-revealed.com/general/a-good-plugin-and-a-security-alert.php
http://forum.mamboserver.com/showthread.php?t=83180 (worth taking a note if your site is running Mambo)
What this thing does is that it attempts to hack into your webserver, detect for any PHP and HTML files (whether it affects other similar files such as ASP or JSP I’m not too sure), and add in the following line of code into your PHP/HTML files:
http://step57.info/traff/index2.php
And what this line does could be pretty malicious, though I’m not exactly sure what malicious things it can do. Some say that it will attempt to steal passwords, while some say that it will just crank your system up by planting some virus into your computer. Considering that most of my directories in the server is having the permission of 755, and 644 for files, I really don’t know how that joker managed to plant the codes in my files. But then if he’s meant to hack into my server he would have done anything and everything to achieve his goal.
Whatever it is, if you have visited my page anytime since this morning about 7.30, please do a virus scan, and if possible, change the passwords to your email, and everything else! Sorry for all these inconvenience, and to be honest I have no idea how this joker managed to hack into my kubicwave.com, but that’s water under the bridge now, and I’m trying to salvage the situation. Haven’t really got time to do damage assessment yet, but I hope it would be minimal.
Though from the look of it, I suspect it’s my webhosting company who’s been hacked, because as I try to access the page of my webhosting company, I see that step57.info was being accessed, and since I’ve cleared out those lines from my kubicwave.com, I believe it could well be my webhosting company that’s being targeted. And worse still, if that’s really the case, then chances are this thing might just come back to kubicwave.com because they aren’t cleared out by my webhosting company.
Problems. Problems. Problems.
Added at 1014 hrs:
Anyway I didn’t mention how to get rid of it right? OK so this is what I did… open all the PHP and HTML files and remove that particular line, and then change the permissions to the files from whatever they were previously to 644. The strange thing is that I had them on 644 first, so what I did was changed them to something else, say 600, and then change them back to 644. Most importantly, deny write access for group and everyone. But if that joker managed to change my PHP and HTML files when the permissions were 644, I suspect he has actually hacked into my account.
Random Ramblings of the Robotic Renegade 