Eye On DNA Down

by Dr. Hsien-Hsien Lei
Posted June 25, 2007 in DNA in General

I got hacked last night. Everything should be running now but please let me know if you encounter anything wonky. Thanks!

FYI, the update from my host, Siteground.com (aff):

Hello Hsien-hsien,

We have carefully revised the issue in details and it turned out that the hackers used two different ways to infect customers websites.

The fist method is actually a program called MPack, also known as Trojan.Mpkit!html. This is a software that is being installed on a third party server, written in PHP and using a MySQL database to collect any statistics of hacked website and compromised end-user computers.

More detailed instruction about this malware can be found in the Symantec articles repository.

In addition to this, there is a movie, which explains the exact way this software works:

The second way of compromising a website is to use an unknown until the current moment bug in the cPanel control panel system. That bug is used to start the MPack program, which reflects into adding unwanted source code to your (any) website on the server.

The actual “infection” is a source code injection into any and all htm/html/php files on your account – an <iframe> HTML tag at the end of each PHP/HTML page. The frame itself includes a redirect to hacker’s server with the Mpack installed on it. The redirect is designed to be invisible to the visitors of the website. Once the request is sent to the hacker’s server, it analyzes the visitor’s computer and chooses which exploit to be forwarded to it.

Said in simple words – the attackers/hackers are trying to insert a simple source code into as many websites as possible. If they succeed, they infect the websites and all visitors to the websites will be potentially infected by the self spreading viruses/worms.

SiteGround always cares about the security of your website and about stopping these kind of attacks for the shortest possible timeframe. We have managed to find a workaround for this serious issue and we are currently working on developing a permanent solution. Here is what we have done so far:

1) We have managed to identify how the viruses/worms spread on websites.
2) We have managed to identify the “whole” within the cPanel software and have already notified it’s developers, who should be preparing a fix which will not allow that to happen again.
3) We have managed to create a custom script, which goes through all infected accounts and cleans the infected content. As a precaution, that script will be run automatically on a given period of time and will be also run on customer’s request.

At this stage, we strongly advise you to consider the following measures on your end:

1) Change all your passwords: SiteGround Customer’s Area, cPanel, website administration panel (if applicable), email passwords;
2) Run an antivirus scan on your local computer and make sure it is not infected with any kind of viruses.

I have just run the script to clean your site. If you see the virus warnings again, please post a ticket in the “Site Down” category.

Best Regards,

Anatoli D.
Senior Support Team
SiteGround.com

(2 comments)