Comments on: mozgilla hack – index.* files corrupted http://blog.georgezamfir.com/mozgilla-hack-index-files-corrupted.html Mon, 14 Jun 2010 12:00:39 -0400 http://wordpress.org/?v=2.8 hourly 1 By: Ashleymsm http://blog.georgezamfir.com/mozgilla-hack-index-files-corrupted.html/comment-page-1#comment-515 Ashleymsm Mon, 14 Jun 2010 12:00:39 +0000 http://blog.georgezamfir.com/?p=643#comment-515 Your site is like a blonde with a brain. I like it. All jokes apart, vrey informative post and equally impressive design. Your site is like a blonde with a brain. I like it. All jokes apart, vrey informative post and equally impressive design.

]]> By: Christian Louboutin Shoes http://blog.georgezamfir.com/mozgilla-hack-index-files-corrupted.html/comment-page-1#comment-513 Christian Louboutin Shoes Fri, 04 Jun 2010 10:38:03 +0000 http://blog.georgezamfir.com/?p=643#comment-513 Thank you for useful info. :-) Thank you for useful info. :-)

]]> By: George http://blog.georgezamfir.com/mozgilla-hack-index-files-corrupted.html/comment-page-1#comment-485 George Thu, 05 Nov 2009 23:09:31 +0000 http://blog.georgezamfir.com/?p=643#comment-485 Well, my index.* files didn't have any permissions ( e.g. ---------- 1 668 552 3669 Oct 30 18:16 index.php), if it were 777 it'd have been easier for me to figure it out. But it had no permissions and I couldn't edit them... until I set my own permissions again. Anyhow, you're right in all other respects. Thanks for the info. Well, my index.* files didn’t have any permissions ( e.g. ———- 1 668 552 3669 Oct 30 18:16 index.php), if it were 777 it’d have been easier for me to figure it out. But it had no permissions and I couldn’t edit them… until I set my own permissions again.

Anyhow, you’re right in all other respects. Thanks for the info.

]]> By: Thomas J. Raef http://blog.georgezamfir.com/mozgilla-hack-index-files-corrupted.html/comment-page-1#comment-483 Thomas J. Raef Wed, 04 Nov 2009 22:48:34 +0000 http://blog.georgezamfir.com/?p=643#comment-483 You may have found your files with the wrong permissions, but they were set that way by the hackers. The way this works is that a PC with FTP access to a website gets a virus. I know, everyone has anti-virus software these days. However, anti-virus vendors are faced with 30,000 new viruses everyday so they started creating more generic signatures. These signatures are ill-prepared for the newer viruses that hackers claim are FUD (Fully Un Detectable). These viruses steal FTP login credentials, send them to a server which carries out the website infection with valid FTP credentials. When "they" upload their infected files, the permissions are set to 777. This makes it easier for them to modify later on if you remove their work the first time. So, without scanning all PCs with FTP access for viruses, the website is still vulnerable to re-infection. First, change all FTP passwords. Then, because these viruses also know how to evade detection of the currently installed anti-virus software, it's recommended to use something different. Many have had good success with AVG, Avast or Avira. Select one of those and use it with Malwarebytes - on every PC with FTP access to the website. Also, keep in mind that while your specific infection showed the mozgilla.ru domain, many other domains are used as well. The same infectious code, but a different domain. I just thought I'd share my experience in dealing with this for so many site owners. You may have found your files with the wrong permissions, but they were set that way by the hackers.

The way this works is that a PC with FTP access to a website gets a virus. I know, everyone has anti-virus software these days. However, anti-virus vendors are faced with 30,000 new viruses everyday so they started creating more generic signatures. These signatures are ill-prepared for the newer viruses that hackers claim are FUD (Fully Un Detectable).

These viruses steal FTP login credentials, send them to a server which carries out the website infection with valid FTP credentials. When “they” upload their infected files, the permissions are set to 777. This makes it easier for them to modify later on if you remove their work the first time.

So, without scanning all PCs with FTP access for viruses, the website is still vulnerable to re-infection.

First, change all FTP passwords. Then, because these viruses also know how to evade detection of the currently installed anti-virus software, it’s recommended to use something different. Many have had good success with AVG, Avast or Avira. Select one of those and use it with Malwarebytes – on every PC with FTP access to the website.

Also, keep in mind that while your specific infection showed the mozgilla.ru domain, many other domains are used as well. The same infectious code, but a different domain.

I just thought I’d share my experience in dealing with this for so many site owners.

]]>