XML parsing error

I got hit by this too, here’s some additional info:

1. This isn’t isolated to filezilla, I use WSFTP Pro
2. This isn’t isolated to WordPress, I have several static sites that were also infected in index.html. The virus was emplaced anywhere where there is an index.html / index.php file.
3. I’ve been running AVG and it didn’t prevent the virus installing on my machine, nor did it pick it up on a scan. I ran a scan with malware bytes and it found it straightaway.
4. I have 7 different hosting accounts. Some I haven’t logged into for months, these were not effected. Every time my ftp client starts it auto logs into 5 accounts, each one of those accounts was infected

Steps to take:
1) remove virus from your machine (prevent further infection)
2) change ftp passwords (prevent previously obtained passwords from working)
3) clean out the malicious code (prevent existing code from operating)

In each case the malicious code was the very last line of code, it is easy to find and delete.

Oh I should add that I didn’t have my ftp details stored in a text file anywhere on my PC, they were just auto saved within the ftp client, and they were masked.

The virus somehow reads the log in details direct from your ftp client.

thanks sherwood83 for the detailed analyses.
So now we eliminated FileZilla as being a problem.
I use AVG too and it seems it failed in catching this ftp code.
It is not related to any host, since we have different hosting companies
I don’t think it is a keylogger virus because most of the passwords are copy-pasted once in the FTP program long time ago.

I really don’t know how did they steal our codes!

Hi,

I’ve finally published results of my investigation:
https://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-poison-google-image-search-results/

The article contains detailed information on how the hack work and what what exactly it does.

There are also some detection and clean up instructions at the bottom of the article.

P.S. I still need some help from webmasters of affected sites. Specifically, stats on how many cached files you have in .log/<domainname> directories and how many visits from Google have the malicious .php script attracted (you can this in raw access logs). Ballpark numbers are fine.
You can contact me here https://www.unmaskparasites.com/contact/

Thank you!

I think Google should put a quick solution for us webmasters to be able to delete the spammed search result in their directory.

Here’s the last two weeks statistics (generated by WassUp plugin) for one of my infected websites:
8685 Visits
49957 Pageviews
5.75 Pages/Visits
2828(5.7%) Spams
I should note that the daily average visits counter jumped, Saturday 30 April, from 350 to 1400 daily visit!
I removed the virus and submitted a notification to google (webmaster tools) and on Wednesday 4 May, the visits counter started to go down. Today it’s back to its normal state.
check the complete graph @ ImageShack

I guess these stats include visits to legitimate pages?
It would be interesting to have stats to the malicious .php file only. It redirects real visitors so I doubt WassUp plugin can account them.

What does the “2828(5.7%) Spams” mean?

The ststs include all the website pages.

The spams are links to the malicious php file; “probably hack attempt!” as WassUp declares.

Since I deleted the file, all coming spam faces a 404 error. Here are some of addresses considered spam:
[404] /51.php?q=mtss-hall&page=7
Referrer: https://www.google.com/search?q=raj+shekhar+radiology&ie=UTF-8&oe=UTF-8&hl=en&client=safari
[404] /wordpress/wp-admin/kevlar-armor&page=6
Referrer: Direct hit
[404] /51.php?q=ijiek-jacket&page=3
Referrer: Direct hit

Thanks!

So there were 2828 requests to those deleted 51.php pages? Correct?
Interesting, how many “51.php?q=” pages has Google indexed on your site?

google says about 205 results.

The WassUp shows the following for the period of last two months when Iselect to show stats for Spam:
163 Visits
2830 Pageviews
17.36 Pages/Visits
2830(100.0%) Spams

here’s the corresponding graph
ps: the blue line is for visits (163 visit) and orange is for pageviews (2830 pageviews)

I had the same problem on two of the sites I run… It seems they were infected back in March, but I have not noticed it until a few days ago. One is a static website which became blocked for Nod32 users last week and after some investigation I found the imgaaa code, did some research and cleaned the codes, which solved the problem fortunately.

The other one is a wordpress based blog and its wp-admin login page became blocked by google a few days ago, also due to the imgaaa code, that’s how I realzed that it was also infected and I had some additional problems this time:
First, the code was not in any of wp’s index files. I found it only in an old, unused plain html file, that was still on the ftp (I used that before the site was launched as a ‘coming soon’ preview). However none of the wordpress files were infected, so I did not really understand why was the admin section blacklisted (while the public site itself was not). Anyways, I cleaned the file, removed the thousands of fake files with the log folder and requested a review from google, which was performed a few hours later and the site was not reported anymore.

However at the same time, some other problems occurred on the page: you can access the main page (streetartbp.hu), but only that: none of the posts, categories, tags or history as everything gives a ‘page not found’ message. I do not really understand how it is connected to the imgaaa problem, especially as no wp files were changed in any way during the cleaning process, but it happened at the same time and there were no other reasons that could have caused it.

Does anyone have any idea what could cause this problem, why was this caused by the imgaaa infection and mostly… how to resolve it? I would really appreciate any help. Thanks in advance.

someone decrypted the content of one of this nn.php files:
https://pastie.org/1794541