Modx and the new gcounter.cn attack

Quick malware update. See all the latest ones here.

We are seeing lately many sites running Modx that are infected with a malware getting loaded from the file /manager/includes/document.parser.class.inc.php.

We don’t know yet how the sites are being hacked, but the interesting thing is that all of them are being “managed” by gcounter.cn (a famous malware site).

Basically a big code is added to the bottom of that file to call gcounter.cn to get what malicious iframe to send to the end user. Gcounter then responds with the proper one to load:

< i frame src=”http://sslsite.in/x/?src=Sirius&id=zerling&o=o” style=”display:none”>


or

< i frame src=”http://freematrix.in/x/?src=Sirius&id=zerling&o=o” style=”display:none”>

or

< i frame src=”http://solid-success.in/x/?src=Sirius&id=zerling&o=o” style=”display:none”>

or

< i frame src=”http://computerengine.in/x/?src=Sirius&id=zerling&o=o” style=”display:none

List of sites being used in this attack:

http://sslsite.in

http://freematrix.in/

http://solid-success.in/

http://basicreader.in/

http://computerengine.in/

http://easyclick.in/

http://enginecollector.in/

http://shieldsearch.in/

http://solidpool.in/

http://auto-booster.in/

http://rapid-debug.in/

http://06.1099hsd.co.cc/

http://06.dsdtsdz.co.cc/

Code decoded: http://sucuri.net/?page=tools&title=blacklist&detail=42d63a94574be7e43de1232cf53cc9be

We will post more details as we learn more about this attack.


If your site is hacked and you need help, visit http://sucuri.net to learn about our malware removal and monitoring plans.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.