MyPersonalVPS.com

I thought these villains had been quiet for too long and then, last night, I happened to notice a support ticket in our queue from a customer claiming that we had hijacked his site, or the server it was on. The ticket had already been pushed up the line to one of our senior techs so I called him up and asked what he had discovered.

“It’s a new MPACK trick” he told me – Now it seems that instead of inserting iframes and javascript into every page they can find on sites they manage to invade, they’re going for HTACCESS files. Basically they target referrers (typically the big 3 search engines Google, Yahoo! and MSN) and if your site gets a hit via a link on the search engine the HTACCESS file then redirects your visitor away to a malware site. And for n00bs who don’t really know (or care?) what an HTACCESS file should look like or contain, they’re inserting 30 to 40 blank lines at the top of the file in order to convince you that it’s actually empty.

Fortunately this hack is easier to fix than its predecessor as it usually only involves one file. We now have a stock of standard HTACCESS files for popular scripts like Wordpress and Joomla! that we can just drop straight in and over-write the malicious file if anyone else reports this issue.

<sigh> I wonder what they’ll think of next? </sigh>

EDIT: After writing this I noticed an article on TheRegister about what is possibly the result of one of these hacks. It’s worth a read, and thanks to the author, Jesper M. Johansson, for the time he obviously spent researching this.