Malware update: ssl-verification.net

Quick malware update: The site ssl-verification.net (nice name) is being used to distribute SEO spam and malware (the famous fake AV). We recently wrote about the domain ssl-validation, but it seems that they disabled it and are using ssl-verification instead now.

You can get details of the code being used here: 7ea73e3ac775b52b945d5b45a5abb7ad and b99003ddc4a4815bb82a39cc6af3b452

All the infected sites so far had an encoded piece of PHP code inside their index.php or footer.php (if using WordPress) and a backdoor inside a random PHP file. We found the backdoor and by the analyzing logs, we could find the C&C IP address: 41.190.16.17.

41.190.16.17 – - [20/Oct/2010:03:35:21 -0700] “GET /img/readthat.php HTTP/1.1″ 200 11204 “http://phlks.com/doors/check_all.pl?5″ “Opera/9.80 (Macintosh; Intel Mac OS X; U; ru) Presto/2.2.15 Version/10.10″

What is interesting is that it seems the attackers are using http://phlks.com/doors/check_all.pl to manage their network of infected sites and according to Google, they have more than 4k sites under their control.

The malicious site is hosted at 85.17.213.243, so suggestion for hosting companies: Block this IP.


Having issues with malware? Sign up at http://sucuri.net and we will get it all sorted out.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.