Why me, Psyme?

I noticed something weird going on with our website these past few days. On occasion, my antivirus software, AVG, would detect a virus when I load a page from Palabok.com. I just ignored the warning whenever it came up. I figured it might be one of the embedded pages I have on the website that’s causing the problem or my antivirus software just returning false positives.

But then, Godie from the Corrupted Partition blog left a comment saying the following:

Godie Says:
August 24th, 2007 at 9:06 pm e

This page has an embedded JS/Psyme virus, if your anti-virus didn’t catch it, MAKE A FULL SCAN NOW WITH ANOTHER ANTI-VIRUS

Reading that comment made me worried. It means that it’s just not AVG messing up. After a bit of investigation, I discovered that there was a bit of foreign Javascript code inserted at the bottom of index.php pages in my website!

I copied the unknown code and pasted it into my text editor, saved it and allowed AVG to scan the saved file. AVG reported that the file was indeed infected by the JS/Psyme virus. The little piece of Javascript code was the reason AVG was alerting me to a virus whenever I browse through our own website.

Here is a short description of JS/Psyme as taken from the Sophos website, if you are interested:

Name: JS/Psyme-AN
Type: Trojan
How it spreads: Web browsing
Affected operating systems: Windows
Side effects:
– Downloads code from the internet
– Exploits system or software vulnerabilities

JS/Psyme-AN attempts to load a web page infected with Troj/Psyme-AN by creating a new object element within the current document/HTML page.

For further information please refer to the Troj/Psyme-AN description.

I have since removed the malicious bit of code from our website. The virus should no longer pose a threat to our readers.

Even so, I feel sort of violated by the existence of this virus code in my webpages. I certainly didn’t put it there. So how did the code get there? Did some hacker guess my password and inserted the code in my index.php pages? Was it an insider working for my web host who ran a sort of batch file that inserted the malicious code to all index.php pages hosted there? Did a hacker place the code in the Fantastico installer used by my web host?

Adding in malicious code for a low level trojan isn’t so bad, in my opinion. But if that person could do that, he or she might have accessed more important personal stuff in my hosted space. I’ll definitely investigate further. I don’t want this kind of thing to happen again.

Published in: on August 24, 2007 at 3:15 pm  Comments (1)  

One CommentLeave a comment

  1. Hi Geejay,

    It was probably done using XSS injection through content redirect header on an embedded image from another site.

    This will inject a shell script like the c99 shell into a page include. So far there’s no guaranteed way to stop this but you can avoid it by limiting the image linking as well as the tags filter. I use flash image loader to allow visitors to embed images in my site rather than directly load it from a url, this makes sure the image link can’t contain redirect headers to an XSS script.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: