It’s taken some time, but as I’m getting a few hits on my website from people searching for information on the malware that was inserted onto my website, I thought I’d make what we’ve found out so far public.
As mentioned already, the malware most obviously installed on the website was reported as Trojan:JS/BlacoleRef.BG and Exploit:Java/CVE-2012-0507.AV. After cleaning these javascript rogues off my site several times, they kept coming back (the excellent Securi Sitecheck Scanner is an invaluable tool, here!). The rogue scripts are added to legitimately running javascript files and are picked up straight away by Google Chrome (which I use) and Microsoft Security Essentials (which I use at home). It was the fact I use Chrome which alerted me to the problem in the first place.
So, how did the hackers get in? It seems that the security breach was due to Parrallels Plesk Control Panel which the web server my site is hosted on uses as it’s web based interface. I finally tracked down this information from this excellent website, and it’s an interesting read:
It seems that the Plesk vulnerability was compounded by the fact that the password list in plesk is stored in plain text!!!!!! This meant that the hackers potentially had access to all the plesk passwords on the server (including ftp etc..) So, unless all passwords on the server (which may well host multiple sites!) were reset, the hacker could get back in and read all the passwords again! One interesting addition, is that we discovered extra scripts in the cgi-bin directory of websites on the server which seem to be similar to other distributed denial of service attack type scripts.
Anyway, now Plesk is patched and upgraded and all the passwords on the server have been reset, normal service should resume!