The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Wednesday, April 15, 2009

Funny, I didn't think the IRS had offices in Russia …

Ah, the Ides of April, otherwise known as Tax Day whereby millions of Americans madly rush to get their tax returns postmarked by 11:59 pm.

And wouldn't you know it, one of the sites we host got hacked and a PHP script installed that would redirect an unsuspecting person to a phishing site, which claims to be the IRS where you can fill in a form to get your government refund.


I could have deleted the PHP redirection script, but there was a chance the crackers would just re-upload the script before I got a chance to find how they got in. The easiest thing to do therefore, was to change ownership of the script to root (the script was owned by the apache user, which leads me to believe that it was an errant PHP script to blame) and the permissions so no one could read the file (in hindsight, it might have been interesting to change the script so it didn't redirect, but basically told the user they fell for a phishing attempt; maybe next time).

That way, the script was disabled, but the crackers wouldn't be able to overwrite it. My feeling was that the crackers in question were giving out a particular link in some spam so they can't just change the location of the script, so they would just have to give up on this server.

I then spent some time figuring out how the PHP script got in there in the first place. It seems that the site in question has a rather popular PHP application that is not only sizeable (around 60,000 lines of code) but one that hasn't been updated in quite a while. Worse, the administration portion of this application was not protected by a password.


The perpetrators in question not only uploaded the redirection PHP script, but another PHP script that allows them to upload other files, list and kill processes, run backdoors and other crackish stuff. That particular script is from a Russian cracking site (because there were links to said site all over that PHP script). And the redirection PHP script would redirect people to a Russian site. And they didn't even bother to try to hide the URL. Sigh.

Obligatory Picture

[It's the most wonderful time of the year!]

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site:, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2022 by Sean Conner. All Rights Reserved.