This morning while traveling into the city, Airbag was hacked by something called NeverEverNoSanity WebWorm generation 17. I'll explain what this is but first it's time to eat a little crow. With all the hoopla in response to my last post I assumed that some avid fan had launched an attack. I was wrong my bad. With all that has happened in the last five days, I think paranoia is setting in.
As for the generation 17 worm, it rewrote every PHP file on this site to display "This site is defaced!!!" in crappy red type on a black background. At least they could have used some CSS to make it look cool.
Thankfully with the help of some very intelligent friends, we tracked the culprit to a worm that uses Google to find it's next victim.
A representative for Google said the company is looking into the issue but had no immediate comment. It seems to have taken some action already, though. Earlier Tuesday, searching for "NeverEverNoSanity" returned some 38,000 results--most of them presumably pages defaced by the worm.
More information was found on Symatec site giving more detail into what is affected by the virus.
.ASP .HTM .JSP .PHP .PHTM .SHTM
The worm uses the Google search engine to find potential new infection targets. Google has now implemented blocking Perl.Santy search requests, which is expected to greatly reduce the worm's ability to propagate and lower the risk of further infections.
The solution, apparently, is to reinstall PHP on the server or you can hack an existing build with a solution by Help Net Security. I could not for the life of me tell you how to go about doing all of this but hopefully armed with this knowledge you can avoid being attacked yourself.
Now if you will all excuse me I have to try and put all of this site back together while also finishing up some work and shopping before Christmas gets here.
PS Since we're patching holes, if you use Movable Type you might want to upgrade.