Those of us that are from the Napster/Geocities era, have witnessed many viruses in the form of perfectly harmless looking MP3s and trojans disguised as Chat programs, but although i’ve heard of them I have never actually seen a Virus within an image file. A JPEG to be more precise.
Our webhost forwarded us an email that contained info from an abuse team about a possible infection on one of our servers. I looked into the contents of the email and the file it referenced was a picture! At first I thought it was a mistake, but when I tried to download it my anti-virus program kicked in saying that sure enough, it was a threat.
I sent it over to my friend James who specialises in Computer Security and he sent me this back;
As you can see, the area that is for EXIF data (such as the camera make and model – the bit on the right) has been replaced with some PHP code, meaning it could potentially be executed (“Run”) and used for malicious purposes such as sending out spam emails or for using our server as part of a DDoS attack on someone else.
James went on to say;
“The code in the file gives the attacker a way to run whatever code they like on the site but putting it in POST data.”
These things occur due to outdated website software, mainly old WordPress plugins/installs and Joomla websites – this one was a Joomla website this time and it was one we inherited from another company.
Fortunately our servers are set up in a manner that does not allow viruses to spread, they are kept within the boundaries of that particular websites files so it cannot cause too much damage but if it is being used for sending spam then it could result in the website becoming blacklisted and that would cause email delivery options for everyone involved.
We have the account suspended currently and are awaiting word back from the customer to find out how they would like to handle the situation. Its most likely going to be expensive no matter what happens, and its a really good wake up call to anyone with a website that doesn’t pay attention to those “Update Now” links they see every time they go in to add or edit content.
We do “Updates Only” maintenance contracts from £75 + VAT per month so there is really no excuse. 🙂