Website Hijinks Part 2

This is part 2, it may make more sense if you start with part one, posted earlier.
Chris Mosby is a fellow moderator over at, and his blog (which I joke about it being a mirror of the SANS ISC) has provided a clue as to what is going on. Not being familiar with Apache I wasn’t sure exactly how an attacker would compromise all websites on a server and add a footer. Chris has posted a SANS Internet Storm Center report from March showing that an attacker if they compromise the server just needs to look in httpd.conf to get a list of the virtual sites. Then it is just a matter of appending exploit code to each of those virtual sites.
What’s funny is that although I read Chris’s blog daily and read the SANS blog daily, I didn’t remember this. A fellow user at powweb did a search and found his article.
Next I went to MSN Search to find sites that link to Google would not find any results for me. I guess they dont include links inside an iframe tag. MSN Search found over 1000 compromised sites. All at PowWeb. It really starts to look like my provider got compromised. Not me.
Hopefully people reading this now understand that you dont get infected by surfing to the seamy underbelly of the web. Not anymore. Its the sites you go to everyday. So you need to stay vigilant. Stay patched. Stay up to date on your antivirus.l