This site was hacked. A reader of the site noted that Google’s index of this site had been co-opted by dubious pharmaceutical offerings. I’ll gladly thank that individual publicly if they give me permission to do so; but my email reply got bounced as spam.
The immediate culprit was the addition of the following lines to a number of .htaccess files:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo)
RewriteCond %{REQUEST_URI} /$ [OR]
RewriteCond %{REQUEST_FILENAME} (html|htm|php)$ [NC]
RewriteCond %{REQUEST_FILENAME} !common.php
RewriteRule ^.*$ /common.php [L]
</IfModule>
I removed those lines, as well as the common.php file, and scanned any and all php files on my site. I saw the addition of lines such as the following:
$FYAqxDo='p'.'r'. 'eg_repl'. 'ace';...
$IHxWfs=str_rot13('cert_ercynpr');...
$DcNZVHCi="eW6DLAlbeAki"^"...
$LYDmvYopCKSSSGcfCVNpsskU='ba'.'se64_'.'deco'.'de'...
I had old (vintage 2006) installations of PHP-openid-1.2.1 and PHP-yadis-1.0.2 that I am tentatively assuming were the ports of initial entry.
I also wiped my .ssh directory. It has a private key there that was generated for this site that presumably was legitimate, but unused by me and now presumed compromised. I never initiate sessions from this host, nor do I have any passwords saved there, so any damage caused was isolated.
I do daily backups of my site, which I keep for a week; as well as monthly backups that I basically keep forever. In addition, as I recently migrated hosts, I have a hot backup.
The PHP hacks were done after I migrated but before March 1st. The htaccess hacks were done over a week ago, but after March 1st.
Over the next few days, I’ll be looking at diffs of different snapshots of my site contents to see if there is anything else I missed.
