On 28/09/12 10:40, Trent W. Buck wrote:
Peter Ross wrote:
To be hacked is one thing - but that it targets Linux users only?? It would be clever for a spammer to inject the data only when the U-A is "hi I'm to googlebot", because then it would be far less obvious that it was compromised -- as you've seen.
A naïve implementation might try to do that by blacklisting known end user UAs (i.e. IE, FF) rather than whitelisting known spider UAs, which would result in you seeing it if your UA happened to not match the blacklist.
That's pretty much what I expect is happening. this sounds like the "Pharma hack", one characteristic of which is that there are zillions of versions of it. My impression is that there's a lot of mediocre programmers involved in this, reimplementing much the same thing as part of some larger overall spam campaign. Basically what pharma hack sets out to do is to steal your google rank. They don't want to be noticed by human users, but want to send modified pages to google that pass your google rank to a bunch of spam pages. The pharma hack infestation I dealt with a little while back certainly included a bunch of screw-ups, but it also included a whole bunch of techniques for hiding code that I hadn't seen before. That is to say code obfuscation techniques that are hard to search for. There's no simple string that you can search for to find the inserted code, but with some more complex regexes I was eventually able to clear the last of it. There were several hundred modified files involved. If you're lucky, you've got a good copy of your code in version control, and have good backups. If you're unlucky, you're using something silly like smarty which means you can't make a clean distinction between data areas (which the web server can write) and code areas (which the web server can only read). If you can just flush all the cached smarty stuff, then do so. Andrew McNaughton