Matraex, Inc Blog

Today a customer called me about a PHP website that was popping up viruses all over the place.

I loaded up the site and there it was,  the page was immediately redirected to a spyware / virus type site that tried to convince me to download their software to fix a problem.  Since I knew better I carefully answered the browser prompts to make sure I closed out and left the page without opening anything malicious.
Then I went back to the page that had the problem and tried to load it again.  But the problem was GONE!

After a bit more investigation I found that the people who wrote the “virus” dropped a cookie on my machine and made sure they allowed me back in the site.  I am sure this trick helps them to keep the “virus” on a site for longer because the site administrators may not recognize it as an on going problem (or even a problem that their site caused).

In digging I found that each PHP page on the site had some PHP code added to the top of it.
something like

This was on a single line at the top of the file and even the administrator who had noticed the odd code at the top passed over it not thinking it was malicious.
However,  the text inside the “encoded” string was VERY malicious.  I decoded it and found several PHP functions and additional encoded strings.

I decided it wasn’t worth figuring out what all they did with the code but instead decided to just clean it up.  I assumed that the code probably helped “replicate” itself by checking that ALL other PHP pages on the site also had the same code in them.  So if someone removed the code and then the code was run on another page it put itself back where you removed it.

 Anyway,  pretty sophisticated but it was easy for me to find the problem just opened and looked at the PHP file and saw code that shouldn’t have been there.

A cool way that I found where the problem was before even opening the PHP file was to use HTTPWatch to see which exact files were downloaded from which site in the browser.  I use the free version of the softwar and it has met all my needs so far.  It is similar to firebug in FireFox.

We’ve run into some client machines that have had  trouble opening PDF documents from within a browser.

Typically this is because there is an older version of Acrobat or Acrobat Reader that is or was installed on the computer and the browser has some sort of corrupt reference to it.

To correct this problem follow these steps.

1. Open up Each version of Acrobat Reader or Acrobat that you have on your system.
2. Go to Edit -> Preferences -> Internet and make sure the box to  Display PDF in browser is unchecked.
3. Click OK and close Acrobat or Acrobat Reader, proceed to the next step once you have done this for all versions
4. Open the latest version of Acrobat Reader
5. Go to Edit -> Preferences -> Internet and check the Display PDF in browser box.
6. Save and Close Acrobat Reader.

You should now be able to open PDF files from within your browser.

In some cases the error will occur again after an Adobe update to the software. I cant explain this but if you uncheck the Display PDF in browser box and save the setting in the MOST RECENT version of Acrobat Reader last,  this  seems to allow PDF documents to open in the latest Adobe Reader version outside of the browser which may have some “corrupted” internal mapping to the incorrect version of the older Acrobat version.