A few days ago we reported a large scale attack affecting WordPress sites at hosted on 123-reg servers. They were using the domains meqashopperinfo.com and meqashopperonline.ccom to spread the malware. You can read more about it here.
Today, we’re seeing a small variation of this attack. We’re continuing our research, but it seems the attack has spread to another host, and maybe more. The attackers are using meqashoppercom.com to spread the malware and the following javascript gets added to the affected sites (result from our scanner):
Malware is getting loaded from:
http://meqashoppercom.com/kb.php
http://77.78.240.233/index.php?xxx
All the sites we’ve seen so far have the following code added to all PHP files:
eval(base64_decode(“aWYoZnVuY3Rpb….
Here is the malware entry.
Note: The domain meqashoppercom.com (77.78.240.233, 77.78.239.53) IS NOT blacklisted, so it has the potential to infect a very large number of visitors, specifically visitors with outdated AV signatures and definitions.
What’s interesting is that the domain is registered by the same people responsible for the previous attacks at Godaddy, Bluehost, etc: Hillary Kneber:
Registrant Contact:
HardSoft, inc
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
usAdministrative Contact:
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us
The following script should clean up any infection: Sucuri Simple Cleanup Solution
Update 1: Also make sure to remove the file wp-content/wp-indexit.php, which is a backdoor used in this attack. For hosting companies, block the IP: 85.234.191.140
If you need help cleaning up your site, contact us at support@sucuri.net or at http://sucuri.net
Ben Martin
Krasimir Konov
Alycia Mitchell
Pedro Peixoto
Allison Bondi
Rodrigo Escobar
Sucuri Malware Research Team
Ahmad Azizan Idris
2 comments
I’m getting the following log from exploit scanner, is this another version waiting to go live:
wp-admin/wordpress-fix.php:15
Often used to execute malicious code ot; -type f |xargs sed -i ‘s###g’ 2>&a
wp-admin/wordpress-fix.php:15
Used by malicious scripts to decode previously obscured data/programs type f |xargs sed -i ‘s###g’ 2>&1`;
wp-admin/uploader/pclzip.lib.php:2675
Often used to execute malicious code eval(‘$v_result = ‘.$p_options[PCLZIP_CB_P
wp-admin/uploader/pclzip.lib.php:2819
Often used to execute malicious code eval(‘$v_result = ‘.$p_options[PCLZIP_CB_P
wp-admin/uploader/pclzip.lib.php:3716
Often used to execute malicious code eval(‘$v_result = ‘.$p_options[PCLZIP_CB_P
wp-admin/uploader/pclzip.lib.php:3990
Often used to execute malicious code eval(‘$v_result = ‘.$p_options[PCLZIP_CB_P
wp-admin/uploader/pclzip.lib.php:4040
Often used to execute malicious code eval(‘$v_result = ‘.$p_options[PCLZIP_CB_P
wp-admin/uploader/pclzip.lib.php:4116
Often used to execute malicious code eval(‘$v_result = ‘.$p_options[PCLZIP_CB_P
wp-content/plugins/wp-to-twitter/json.class.php:21
Often used to execute malicious code * Javascript, and can be directly eval()’ed with no further parsing
wp-content/plugins/wp-to-twitter/OAuth.php:202
Used by malicious scripts to decode previously obscured data/programs $decoded_sig = base64_decode($signature);
wp-content/plugins/multi-level-navigation-plugin/scripts/superfish.js:11
Often used to execute malicious code eval(function(p,a,c,k,e,r){e=function(c){return(c<
wp-content/plugins/wptouch/js/ajax_upload.js:339
Often used to execute malicious code response = eval("(" + response + ")");
wp-content/plugins/wptouch/js/fancybox_1.2.5.js:12
Often used to execute malicious code ;eval(function(p,a,c,k,e,r){e=function(c){return(c<
wp-content/plugins/wp-copyrightpro/index.php:56
Often used to execute malicious code eval(base64_decode('JGNwcmY9J1puVnVZM1JwYjI0Z1k
wp-content/plugins/wp-copyrightpro/index.php:56
Used by malicious scripts to decode previously obscured data/programs eval(base64_decode('JGNwcmY9J1puVnVZM1JwYjI0Z1kyOXdlWEpwWjJoM
wp-content/plugins/wp-copyrightpro/index.php:95
Often used to execute malicious code eval(base64_decode('ZXZhbChiYXNlNjRfZGVjb2RlKCR
wp-content/plugins/wp-copyrightpro/index.php:95
Used by malicious scripts to decode previously obscured data/programs eval(base64_decode('ZXZhbChiYXNlNjRfZGVjb2RlKCRpbmNfY3JwKSk7&
wp-content/plugins/bitdefender-antispam-for-wordpress/img.php:5
Used by malicious scripts to decode previously obscured data/programs echo base64_decode("R0lGODlhAQABALMAAP8p9////////////////////
wp-content/plugins/antivirus/js/script.js:1
Often used to execute malicious code m=$('#av_template_'+id);if(input){input=eval('('+input+')');if(!input.nonce||input.nonce !=av_nonce){return;}item.addClass('danger');var i=0;var lines=input.data;var len=lines.length;for(i;i<len;i=i+3){var num=parseInt(lines[i])+1;var line=lines[i+1].replace(/@span@/g,'’).replace(/@/span@/g,”);var md5=lines[i+2];var file=item.text();item.append(‘‘+av_msg_1+’‘+av_msg_2+’ ‘+num+’
'+line+'‘);$(‘#’+md5).click(function(){$.post(av_ajax,{‘action’:’get_ajax_response’,’_ajax_nonce’:av_nonce,’_file_md5′:$(this).attr(‘id’),’_action_request’:’update_white_list’},function(input){if(!input){return;}input=eval(‘(‘+input+’)’);if(!input.nonce||input.nonce !=av_nonce){return;}var parent=$(‘#’+input.data[0]).parent();if(parent.parent().children().length=av_files_total){$(‘#av_manual .alert’).text(av_msg_3).fadeIn().fadeOut().fadeIn().fadeOut().fadeIn().animate({opacity:1.0},500).fadeOut(‘slow’,function(){$(this).empty();});}else{check_theme_file(id+1);}});}$(‘#av_manual a.button’).click(function(){$.post(av_ajax,{action:’get_ajax_response’,_ajax_nonce:av_nonce,_action_request:’get_theme_files’},function(input){if(!input){return;}input=eval(‘(‘+input+’)’);if(!input.nowp-content/plugins/wp-security-scan/simplepie.inc:12488
Used by malicious scripts to decode previously obscured data/programs $data = base64_decode($data);
wp-content/plugins/gtranslate/jquery.js:16
Often used to execute malicious code async:false,dataType:”script”}):c.globalEval(b.text||b.textContent||b.innerHTML||””
wp-content/plugins/gtranslate/jquery.js:132
Often used to execute malicious code p;f.indexOf(“javascript”)>=0)c.globalEval(a);return a},param:function(a,b){function d(i,o
wp-content/plugins/wordpress-forms/js/jquery.metadata.min.js:19
Often used to execute malicious code data=”{“+data+”}”;data=eval(“(“+data+”)”);$.data(elem,s
wp-content/plugins/wordpress-forms/js/jquery.metadata.min.js:25
Often used to execute malicious code data=”{“+data+”}”;data=eval(“(“+data+”)”);$.data(elem,s
wp-content/themes/atahualpa/functions/bfa_footer.php:126
Often used to execute malicious code eval(‘?>’.$footer_content);
wp-content/themes/atahualpa/functions/bfa_postinfo.php:593
Often used to execute malicious code eval(‘?>’.$postinfo);
wp-content/themes/atahualpa/functions/bfa_header_config.php:376
Often used to execute malicious code eval(‘?>’.$header_items);
wp-content/themes/atahualpa/options/jscolor/jscolor.js:336
Often used to execute malicious code for(var p in properties) eval(‘e.style.’+p+’ = properties[p]&#
wp-content/themes/atahualpa/functions.php:513
Often used to execute malicious code eval(‘?>’.$center_content);
wp-content/themes/atahualpa/functions.php:531
Often used to execute malicious code eval(‘?>’.$custom_code);
wp-content/themes/producer/js/jush.js:507
Often used to execute malicious code e|is_fault|parse_method_descriptions))|p(?:ath_(?:eval(?:_expression)?|new_context)|tr_(?:eval|new_con
wp-content/themes/producer2/producer/js/jush.js:507
Often used to execute malicious code e|is_fault|parse_method_descriptions))|p(?:ath_(?:eval(?:_expression)?|new_context)|tr_(?:eval|new_con
wp-content/themes/producer3/producer/js/jush.js:507
Often used to execute malicious code e|is_fault|parse_method_descriptions))|p(?:ath_(?:eval(?:_expression)?|new_context)|tr_(?:eval|new_con
It’s the eval base 64 stuff that’s got me concerned 🙁
Comments are closed.