All my html and php files on scottnolan.org, blog.scottnolan.org, labelle.org, and wiki.labelle.org have had the following bogus HTML code added to the files:
(I hand recast the real greater than and less than signs so it would not execute)
That means the malware somehow got shell access to my web servers on Dreamhost; I can think of no other reason it would effect all these websites, but not other websites on the same host. I suspect it exploited my ssh keys.
Smart malware.
Update: wrote a script to remove the malware on every html, htm, and php file on the domains listed above; now to restore my Safari settings and change passwords everywhere.
Update 2: turns out the bad folks used scripts to exploit an old, no longer used, but not updated copy of wordpress software to break into my websites. That coupled with my foolishly using the same password for sister websites let them into those as well. Passwords all changed, and deliberately different now; old wordpress versions purged.
Here is my quick and dirty cleanup script:
{ 2 } Comments