 |
|
Is Infected with a Trojan Horse
Click here for basic information about Trojan Horse infections
As a web developer, I often receive requests to take over the work on a website. Sometimes it's search engine optimization (SEO.) Other times the original web developer has gone on to other places or work. I recently had two people contact me from different parts of the country to work on their sites. Both sites needed SEO. Both sites were infected with Trojan Horses, and it was the SEO set up process which showed the infection.
Google Webmaster Tools as the First Clue
For search engine optimization, the first thing you need is a set of measurements to measure the beginning site traffic. That allows you to tell which of your efforts are working and how well they are working. Google Analytics and Google Webmaster Tools are wonderful and free. (Some metrics tools should be set up on every website, because SEO should be part of every site.)
Google Webmaster Tools shows various types of analysis of your website. One set of figures is what page your site shows up on various Google searches. This set of stats showed the result of the Trojan Horse on the site. Note that the stats that refer to legitimate industry terms have been removed for the privacy of the website owner. At first I had to scratch my head a bit.
# |
% |
Query |
Position |
| 5 | 3% | xpress it bahamas | 4 |
| 6 | 2% | cialis kontraindikacije | 8 |
| 10 | 1% | 8 cialis | 41 |
| 32 | <1% | pill identifier with pictures | 11 |
| 37 | <1% | pill id | 38 |
| 39 | <1% | cialis 5mg online | 2 |
| 46 | <1% | pill identifier canada | 7 |
| 47 | <1% | cialis south africa | 8 |
| 48 | <1% | cialis tubs meaning | 8 |
| 51 | <1% | cijalis kontraindikacije | 9 |
| 79 | <1% | cialis insurance coverage | 7 |
| 92 | <1% | cialis free trial coupon | 10 |
| 100 | <1% | doxazosin | 21 |
For this magazine site to come up in a Google search under these word combinations, those words had to exist on the website. That is a bad thing for the site owner, who has a very legitimate business website. How would you like for your site to rank #10 for "cialis free trial coupon"? So, I could only conclude that those words got onto the website without the owner's permission or knowledge. There are four possibilities:
- The web developer is making some $$$ on the side adding hidden stuff to the site.
- Someone at the hosting company is making some $$$ on the site by adding hidden stuff to the site.
- An employee at the site owner's company is making some $$$ on the site by adding hidden stuff.
- Someone outside these sources has access to the site through a Trojan Horse.
The next step is to find out where those words are hidden on the site
The assumption here is that a word can't lead to your site through a Google search unless that word appears on your site. If that word appears on the site without your knowledge, someone else hid it somewhere. So, to get rid of it, you have to find it. What you don't know is whether the rogue information is 1) rogue files, 2) rogue database entries, or 3) text injected into one of your real website files. Between the two infected sites had all three cases were present. 
The first set of stats in the Google Webmaster Tools page shows the page rank, as shown in the table above. The second set of stats, under the page rank words, is the "Links to your site. Notice that the first column is "Page." Now those aren't pages that the custom woodworker who owned the site knew about. The Trojan Horse had opened a hole in his site, and someone else was adding content.
Rogue Files and Folders
The linked numbers in the second column went to all kinds of strange sites, mostly obscure forums. The name of the folder that was placed on the site: jndce, would not raise any alarms, unless someone clicked the folder open and realized that the contents were a bunch of junk. If the web developer would have been alert he would have noticed that folder as not something that he had created. On the other hand, if that developer wasn't working on the site very often, the extra information could have been overlooked for a long time. In this case, the actual virus files were on the site for a year and a half.
Rogue Code on a Legitimate Web Page
Beside the extra folder and files on the site, this site had more code on the home page from the Trojan Horse than the legitimate code. The extra code code consisted of hundreds of lines that looked like this
<!-- google --><font style="position: absolute;overflow: hidden;height: 0;width: 0">
xeex382701
<a href=http://***aut.apit.pt/od0n2q/d9m46/lompoc.php>lompoc</a>
<a href=http://***aut.apit.pt/od0n2q/d9m46/geranium.php>geranium</a>
<a href=http:/***/aut.apit.pt/od0n2q/d9m46/pacemaker.php>pacemaker</a>
<a href=http://***aut.apit.pt/od0n2q/d9m46/prohibition.php>prohibition</a>
<a href=http://***aut.apit.pt/od0n2q/d9m46/deeds.php>deeds</a>
etc.
(I have put *** in the file addresses; so, they won't work. This uses some pretty clever tricks.) Notice the reference to Google. A website owner is less likely to wonder what's going on because it looks like it might be for search engine optimization. Then the CSS in the font tag is quite revealing. The width and height are set to 0; so, the code has no dimension, but then the "overflow" is set to hidden. The result is that the website owner never saw the rogue code on his website, but it just kept on working away as a Zombie machine.
Rogue Entries in the Database
This is what occurred on the magazine site. The database was compromised, and it was being used to deliver images for viagra and other meds. In fact, if you received an email spam for viagra and cialis during the time period of the infection, if that ad had an image on it, the image might have been coming right from my client's site.
Per my instructions, my client called their webhost. The host company said that all their database sites had been compromised and that they were taking care of it. So, why didn't they inform their clients that they were infected in the first place. Those listings were there long enough for Google to pick them up. If the infection was server-wide, the webhost has a security problem. This is not the first time I've heard questionable responses from their hosting company. OK, I'd accept the first weirdness from them, but it's time to consider moving to a more professional web hosting company!
So, Where is the Trojan Horse Causing all these Problems?
So, where was the virus - beyond the junk files? The wood worker's virus was hidden in a text editing application called FCKEditor. This program was originally installed to allow the site owner to add formatting to new text for his website. The editor version was very old and had known security problems. It is important for website owners to know what software is installed on their websites, how secure it is, and what updates are available. When we tried to download the website files into our computers to update the pages, our AVG anti-virus software went crazy. Hidden in the program was a file called ok.php, which contained the virus.
I didn't have server access to the magazine client's site; so, I couldn't check that one out. I hope that company has been very busy patching holes on their server.
Related Topics and Resources
- go.google.com Browser Hijack
- Wikipedia topic: Trojan Horse
- How to Recognize a Trojan Horse on your Website
- Verizon Wireless Trojan Horse
- Domain Name Scam from China
- Sports Event Registration Scam
- Are Those Tweeter Ads for Real?
© 2011, Nora McDougall-Collins