The incidence of web-malware is on the rise, thousands of websites are infected every day as webmasters and business owners grapple with this new hydra of the Internet. Traditional Anti-Virus software is completely helpless when it comes to detecting these new and evolving pieces of malware which are being used to infect websites by malicious hackers.
In this short post we present an extremely widespread variant of an FTP based web-malware which is used to infect web sites.
Identifying the Malware
This code is injected as a result of a trojan or a “sniffer” malware being installed on a personal computer or server. This trojan software simply listens for FTP connections destined for web servers.
The code below shows the malware payload which is injected into web sites:
<img heigth='1' width='1' border='0' src='http://imgaaa.net/t.php?id=36910902'>
To determine if this trojan has infected your site, follow the steps below:
The above code may also be present on the last line of files named “index.php” (a reader identified the fact that there may also be files present with names like “police.php”).
grep -lr imgaaa.net
RewriteRule ^(.*)$ /wp-admin/21.php?q=$1
Removing the Malware
If you find traces of the infection, upgrade your web application software (e.g. your CMS, WordPress, etc.) installation, change your FTP passwords, and clean or remove the infected files from your site immediately.