First of all, let’s look at the hack. At this point I am unsure what exactly caused so many of my files to contain the odmarco string. It looks like quite some people on DreamHost got hit by this problem, so I am guessing a vulnerable script on one of their servers caused this. Now, I should blame myself as well, because apparently I didn’t take notice to a lot of files in my websites being writable by the server. It’s no excuse, but a lot of the sites that I have are very old sites, where I definitely didn’t pay as much attention to such details as I do now.
Anyway, from a comment on siteadvisor I learned that the script called in the iframe is trying to abuse an exploit in Adobe Acrobat. Though I hate all stuff like this, I hate exploits more than mere referrer spam injection, so I felt I needed to take care of this quickly, even if a lot of the sites are hardly maintained anymore. So I sat down to hack up a little PHP script that would remove the offending string. Why PHP? Simple, it’s the only language I know good enough to hack something like this up in a short time.
After some hacking around I came up with this script. It’s not perfect, but it does the job and it does it well, so I’m happy. Anyone interested, feel free to use this script to clear up the mess in your site. It’s meant to be run from the command line, inside the directory that you want to (recursively) clean. What I did was put it in the homedir on DreamHost, and then go into a directory that needed cleaning and issue the command:
/usr/local/php5/bin/php ../clear_odmarco.php
As you notice, at DreamHost you need to explicitly specify the php5 path because for some reason, the “php” command still defaults to php4. Then I put in a relative path to the clear_odmarco.php file (you could put the full path if you want).
Leave a Reply