Not often I get to do this, but this morning I managed to help another website owner rid the Net of one more drive-by browser attack.

A friend of mine sent to me and 6 other people an email containing only a link (…and she used my super-secret personal email address to do it, nudge-nudge). This set off my suspicion alarms. The link went to a PHP script file buried in the image file uploads section of another website’s WordPress installation. The script’s filename was something opaque like “onelove.php”, and it had a query string (the part of the URL after the ?) that could be used to uniquely identify the source of the click and whoever emailed it.

Without opening a browser, I went to the command line and did some sleuthing. I used wget to try digging up the script to see what it returns. What I found was that the script attempted to redirect me to a website in Russia. “Now why is this script, in someone’s pictures folder, redirecting me to a foreign website?”

I performed a whois lookup on both sites to see who owned the domains. The victim site was a fellow Dreamhost customer, and the Russian site was hidden behind a “private” domain registration. “Huh!” I thought.

So I sent a short message to the victim site’s administrative address stating that her website had been hacked and was hosting this script, that she should remove it, and that she should update her WordPress installation (always important) to minimize the risk of future attacks. I then sent a reply-all to my friend and the list warning them to not click the link, to delete the message, and for my friend to scan her computer for infection.

I get home from work and return to my sleuthing. The nefarious script is no longer on the victim’s site. Possibly the victim got my message and took the proper actions. Maybe Dreamhost intervened and cleaned it out themselves. At any rate, it’s gone, for now. Hopefully, she has hardened her site against another hacking infection. I’d hate to see more people unknowingly clicking blind links and getting their browsers sent to a page containing just the right code to infect their system or con them out of their personal information.

We should help every chance we get, right?

Published by Shawn

He's just this guy, you know?