Attention! SEO 2.0 Was Spreading Malware

Hello Dear SEO 2.0 Readers!

Unfortunately the SEO 2.0 blog has been compromised on April 6th, 2010 along with other sites on my server. The purpose of the attack was to spread malware.

In case you have visited the SEO 2.0 blog or in the morning or during daytime of April 6 your computer might have been infected with a trojan.

Have you seen the following error on SEO 2.0?

“Parse error: syntax error, unexpected ‘<‘ in /kunden/ on line 1034”

Then your system might have been compromised as well. As itself was infiltrated as well but showed no error message not seeing the message does not mean your system is clean.

I will try to explain the attack and how you can clean your computer and protect yourself. I am not a computer security expert to trace the attack completely and explain it very accurately but I’m Web savvy enough to deal with the attack.

It seems the attack was not possible due to a WordPress security leak.

It seems an ages old version of an FCKeditor on my server was the exploit the attackers used to insert the malware code.

  1. The malware code was a JavaScript inserted into all files containing “index” in their names and all files with .js ending.
  2. The JavaScript code inserted a hidden iframe into my websites.
  3. The hidden iframe executed a script that attacked your browser (here Firefox) via outdated Adobe Reader or Adobe Flash plugins.
  4. It then loaded a trojan on your computer using those plugins.
  5. The purpose of the trojan was most probably to or to load other malware onto your system.
  6. The trojan might have been also able steal your passwords, especially FTP passwords to infect your server as well.

What can you do now if you think you might have been a victim of this attack?

  1. Download Malwarebytes’ Anti-Malware and run a scan on your computer. In case it is infected remove the trojan.
  2. Uninstall your Adobe Reader and Adobe Flash plugins. Install the latest versions after the next startup of your browser.
  3. Check your websites for suspiciously looking cryptic JavaScript code. Especially the index and .js files.
  4. Check your files on the FTP for latest timestamp and try to remember whether you actually have updated on that date.
  5. Change your FTP password to make sure nobody can use it without your permission.
  6. Delete or update all of your outdated software on your server. Old CMS versions, counters and other scripts.

For additional info and a deeper understanding of the issue plus an additional server removal tool read the following resources: