Matraex, Inc Blog

Today a customer called me about a PHP website that was popping up viruses all over the place.

I loaded up the site and there it was,  the page was immediately redirected to a spyware / virus type site that tried to convince me to download their software to fix a problem.  Since I knew better I carefully answered the browser prompts to make sure I closed out and left the page without opening anything malicious.
Then I went back to the page that had the problem and tried to load it again.  But the problem was GONE!

After a bit more investigation I found that the people who wrote the “virus” dropped a cookie on my machine and made sure they allowed me back in the site.  I am sure this trick helps them to keep the “virus” on a site for longer because the site administrators may not recognize it as an on going problem (or even a problem that their site caused).

In digging I found that each PHP page on the site had some PHP code added to the top of it.
something like

This was on a single line at the top of the file and even the administrator who had noticed the odd code at the top passed over it not thinking it was malicious.
However,  the text inside the “encoded” string was VERY malicious.  I decoded it and found several PHP functions and additional encoded strings.

I decided it wasn’t worth figuring out what all they did with the code but instead decided to just clean it up.  I assumed that the code probably helped “replicate” itself by checking that ALL other PHP pages on the site also had the same code in them.  So if someone removed the code and then the code was run on another page it put itself back where you removed it.

 Anyway,  pretty sophisticated but it was easy for me to find the problem just opened and looked at the PHP file and saw code that shouldn’t have been there.

A cool way that I found where the problem was before even opening the PHP file was to use HTTPWatch to see which exact files were downloaded from which site in the browser.  I use the free version of the softwar and it has met all my needs so far.  It is similar to firebug in FireFox.

Over the last couple of weeks I have been working on doing some in depth “System Discovery” work for a client.

The client came to us after a major employee restructuring,  during which they lost ALL of the technical knowledge of their network.
The potentially devestating business move on their part turned into a very intriguing challenge for me.

They asked me to come in and document what service each of their 3 Linux servers. 
As I dug in I found that their network had some very unique, intelligent solutions:

• A reliable production network
• Thin Client Linux printing stations,  remotely connected via VPN
• Several Object Oriented PHP based web applications

Several open source products had been combined to create robust solutions

• LAMP (Ubuntu and CentOS)
• CUPS
• Subversion
• PHP, PEAR
• MySQL
• openvpn
• hylafax

It has been a very rewarding experience to document the systems and give ownership of the systems, network and processes back to the owner.

The  documentation I have provided included

• A high level network diagram as a quick reference overview for new administrators and developers
• An overall application and major network, server and node object description
• Detailed per server/node description with connection documentation,  critical processes , important paths and files and dependencies
• Contact Information for the people and companies that the systems rely on.

As a business owner myself,  I have tried to help the client recognize that even when they use an outside consultant,  it is VERY important that they maintain details of their critical business processes INSIDE of their company.  Their might not be anything in business that is as rewarding as giving ownership of a “lost” system back to a client.

Matraex has officially upgraded our web based mail client from Squirrelmail to Roundcube.

Roundcube is a modern mail client utilizing newer technologies for faster and more feature rich mail interaction.  Roundcube runs on our Linux webservers, utilizing Apache, PHP and MySQL.  The software connects to the mail server using the IMAP protocol.

All address book contacts and preferences were imported to Roundcube from Squirellmail at the time of the transition.

As well as updating and implementing their own technologies, Matraex provides server administration, open source production implementation and software customizations to business as a service.

Users with questions about the new mail service or Matraex Consulting Services should contact:

Michael Blood
Matraex, Inc
208.344.1115
www.matraex.com